Arts and crafts retailer Michaels Stores Inc warns over credit card fraud

Michaels Stores Inc., US-based arts-and-crafts retailer, confirmed it is investigating a possible data breach affecting customer cards.

Michaels Stores Inc., US-based arts-and-crafts retailer maybe is the last victim of a massive data breach, a few weeks after the hack of US retailer Target and Neiman Marcus. Michaels Stores Inc has more than 1,250 stores across the United States, according different sources in the banking industry the company is a victim of a credit card fraud. Fraud experts have detected a pattern of illicit activity on a set of cards all recently used at the store of the company.

According sources at four different financial institutions, hundreds of customer cards used at Michaels stores  had been recently used for fraudulent purchases. It is not the first time that Michaels suffered a data breach, In 2011 the company disclosed that criminals compromised point-of-sale devices in some Chicago and Washington locations.

The popular investigator Brian Krebs revealed on his blog to have contacted the company listed as the press contact on michaels.com, SPM Communications, but after he was redirected to a crisis communications firm, he hasn’t received any comment.

The US Secret Service has confirmed it is investigating on a potential data breach at Michaels, the company also started its analysis and issued a statement in which it confirmed that it was informed on a possible fraudulent activity on some U.S. payment cards that had been used at Michaels.

“The Company is working closely with federal law enforcement and is conducting an investigation with the help of third-party data security experts to establish the facts. Although the investigation is ongoing, based on the information the Company has received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, Michaels believes it is appropriate to let its customers know a potential issue may have occurred.”

“We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue,” said Chuck Rubin, CEO. “While we have not confirmed a compromise to our systems, we believe it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves, for example, by reviewing their payment card account statements for unauthorized charges.” states the official statement.

Brian Krebs reported that the fraudulent purchases on those cards took place at big stores like BestBuy and Target.

“What’s interesting is there’s another [arts and framing] store called Aaron Brothers, and within past week or two there was a lot of activity talking about Aaron Brothers,” ”One of the things I learned the other day is that Aaron Brothers is wholly owned by Michael’s. It really does look like kind of the way we saw the Target breach spin up, because the fraud here isn’t limited to one store or one area, it’s been all over the place.” revealed a source to Krebs.

In time I’m writing, there are no news on how criminals have stolen the credit card data, it’s normal that many security experts immediately linked this incident to the recent data breaches for which BlackPos malware was used.  Just a few days ago Neiman Marcus informed the press that the breach is suffered from July 16, 2013 to Oct. 30, 2013 and may have impacted more than 1.1 million customer cards.

Let’s wait for further information.

Pierluigi Paganini

(Security Affairs –  Michaels Stores, Data breach)