“We are working closely with federal law enforcement and are conducting an investigation with the help of third-party data security experts to establish the facts,” said Chuck Rubin, company CEO, in a letter to customers on the Michaels website. “Although the investigation is ongoing, based on the information we have received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, we believe it is appropriate to notify our customers that a potential issue may have occurred.”
Rubin said that if any customers are found to have been affected, Michaels will offer identity protection and credit monitoring services to them at no cost.
It’s unclear whether this will turn out to be another Target-level mass infiltration, but security researcher Brian Krebs reported Friday that a large credit card processor was seeing fraud on “hundreds of cards over the previous two days” that all been recently used at Michaels.
“What’s interesting is there’s another [arts and framing] store called Aaron Brothers, and within past week or two there was a lot of activity talking about Aaron Brothers,” an anonymous source within the card processor told him. ”One of the things I learned the other day is that Aaron Brothers is wholly owned by Michael’s. It really does look like kind of the way we saw the Target breach spin up, because the fraud here isn’t limited to one store or one area, it’s been all over the place.”
The attack against Target compromised the data of more than 100 million people during the busy holiday shopping period. And earlier this month, luxury department store Neiman Marcus revealed a breach that affected 1.1 million cards. BlackPOS/Kaptoxa PoS malware uploaded to various stores from a central server is thought to be the culprit in both cases.
While we wait to hear more details on Michaels, it’s worth noting that the feds have issued a three-page advisory to major retailers warning them of the likelihood of more PoS-based attacks. The FBI said Jan. 17 that there have been at least 20 hacking cases in the past year that involved the specific malware used in the Target hack, which is available for cheap (under $3,000) in underground cybercrime forums.
"We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it," said the advisory, as reported by Reuters. "The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cybercrime attractive to a wide range of actors.”
What’s to be done? Better card technology, for one. Last week, the he National Retail Federation sent a letter to congressional leaders urging a transition to the chip-and-PIN cards that are widely used around the world. These store data in an embedded computer micro-chip and require the use of a PIN rather than a signature – and they do not use magnetic strips, which the NRF calls “1960s technology.”
"The National Retail Federation and our 12,000 members are committed to combating this criminal threat to our industry and our customers, and we strongly recommend the adoption of meaningful steps to fight cyber-theft and credit card fraud," NRF President and CEO Matthew Shay wrote in the letter sent to US Senate Majority Leader Harry Reid (D-Nev.) and House Speaker John Boehner (R-Ohio).
He added, "For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN and chip card technology for customers in Europe and dozens of other markets.”
Retailers, meanwhile, need to reconsider their security approaches, it would seem. “Breaches are happening more and more often, with Michael’s being possibly the latest victim on the heels of Target, Neiman Marcus, Adobe and Snowden,” said Eric Chiu, president and co-founder of HyTrust, in a comment to Infosecurity. “And we’re seeing many of them going undetected for weeks, which makes the impact even greater. This should be a huge wake up call for companies to think about security from an 'inside-out' perspective, assuming the bad guys are already on the network. Access controls, role-based monitoring and data encryption are critical to ensure that data is protected from attackers that might be on your network.”
Consumers who think they may have been affected by a breach should look for any unusual charges on their statements – attackers may start with small purchases to make sure the card is active. Affected consumers should get a new card, PIN and online password, and sign up for fraud monitoring.
Also, “be on the lookout for phishing attacks,” Chiu said, noting that criminals often use personal information gleaned from data breaches to mount spam campaigns aimed at compromising individuals’ computing devices for a second wave of criminal activity. “Try to refrain from opening emails from suspicious parties, and don’t click on any links or open any attachments in messages either. Instead, call the company to verify what the email is asking for.”