UPDATED 17:45 EDT / APRIL 18 2014

NEWS

Michaels breach – a sign of the times?

medium_101130676Tango down!  Michaels has confirmed the latest in credit card breaches as many as 3 million credit and debit cards were potentially stolen in yet another retail malware attack.  Michaels officially reports that the situation has been contained, but for many it echoes of last year’s massive POS malware attacks on Target that affected 40 million credit and debit cards over a long period of weeks.   The national arts and crafts retail chain states that their investigations found that there were two separate breaches that took place over eight months each.  The story first broke on Brian Kreb’s blog KrebsonSecurity in January.  At that time, Michaels announced its investigation was underway.  The attacks also affected Aaron Brothers customers and they are being notified as well.

We previously informed our customers and relevant regulators that we might have experienced a data security issue. Since the announcement, we retained two independent, expert security firms to conduct an extensive investigation. We also have been working closely with law enforcement authorities and coordinating with banks and payment processors to determine the facts. As soon as available, we provided data about potentially affected payment cards to the relevant card brands so they could take appropriate action. –Michaels

The statement on the company’s website provides a number of details about the breach, and the scope of the impact that was experienced.

The attack targeted a limited portion of the point-of-sale systems at a varying number of Michaels stores between May 8, 2013 and January 27, 2014. Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue. The analysis conducted by the security firms and Michaels shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed here. – Michaels

Aaron Brothers locations saw about 400,000 cards impacted throughout 54 stores between June 26, 2013, and Feb. 27, 2014.  Michaels also indicates that there is no evidence that any other personal information including names, addresses or debit card PIN numbers, were at risk during the two cyber attacks.

Oooh, protection

 

Like the Target breach before it, Michaels is offering some protection for the affected.  That includes one year of free identity protection, credit monitoring and fraud assistance services.  Thus far, they state that reports of fraudulent payments from bank and credit cards are a ‘limited number’.

This part is interesting as well:

After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms. – Michaels press release

Thus far there have been no reports on what malware types were launched against the company or if the breach that took place was conducted in a similar manner as the Target breach.  It certainly appears to be similar in that malware was used, but much remains to be seen.  This malware was previously unseen and that suggests another specialized zero-day payload.  You can expect that there’s more to come forward about this in the weeks to come.

One thing that has become sort of a standard response in these breaches is the offering of credit monitoring to the consumers affected by this.  It is little consolation to those that are already affected by this, but is a token of culpability of sorts that may assuage some.  Actual restoration and recovery from identity theft and fraud takes much longer and isn’t a component of what is commonly offered in these breach incidents.  Unfortunately this breach along with others pose a sign of the times, composed of large soft targets and backed by big rewards for the outfit that launches these breaches.  The public must be wondering what they can do about this themselves.

The situation also stirs up several tenets of security, not only in whatever gap may have been behind the breach, but in other ways as well.  For one, there is the fact that two separate unnamed security outfits were brought in to validate the damage in a response situation.   At one point it seemed the discovery produced little if anything.  How Michaels implements security at least at this point involves a third party, for now it is unclear of Michaels previously had gone it alone.  That would be atypical, as most large organizations bring in the skills of qualified specialists to build and validate environments that require security and things that come along with it like PCI and other compliance standards.  Target’s partner Trustwave was getting dragged into this path of culpability, but the parties recently pulled back on that.  As in the case of Target, the industry will be evaluating this particular Michaels breach for weeks and months to come.

photo credit: striatic via photopin cc

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU