Hackers Pull off a Crafty Attack on Michaels

Customers of nationwide arts and crafts retailer, Michaels, may have something messier to clean up than their latest DIY creation. It appears as though Michaels is the latest victim in a string of cyber attacks targeting major U.S. brands. This attack follows data breaches at Target and Neiman Marcus, making this the third cybercriminal attack on a nationwide retailer less than one month into the New Year.

According to security blogger, Brian Krebs, credit and debit cards used at Michaels stores have been linked to hundreds of fraudulent transactions occurring over the past few days. Though Michaels has yet to confirm this potential security breach, they have issued a statement warning of its potential. The U.S. Secret Service has also come forward to aid the investigation.

Unfortunately for Michaels, if this breach does turn out to be legitimate, it will be the second time the company has been hit by such a scam in the past three years. In 2011, Michaels reported that point-of-sale systems in a small number of their retail stores were found to have been tampered with by thieves. This high-profile attack resulted in the theft of payment card information for approximately 94,000 Michaels’ shoppers.

There is no information on how many consumers may have been affected this time around, nor is it known how long this attack may have gone on unnoticed. One can only hope that the scale does not match the large numbers of affected customers from the Target or Neiman Marcus breaches.

At this time, it is also unclear how the scammers were able to obtain Michaels’ customer data (if in fact they were), but it is entirely possible that this breach is part of a larger attack plan. Reuters reported earlier this month that the same group of cybercriminals who struck Target and Neiman Marcus had set their sites on a number of smaller retailers as well. With more than 1,000 retail locations nationwide, Michaels isn’t exactly “small,” but timing and approach appear to be in step with the previous attacks. As one of Kreb’s sources explains, “It really does look like kind of the way we saw the Target breach spin up, because the fraud here isn’t limited to one store or one area, it’s been all over the place.”

With Target and Neiman Marcus, cybercriminals used malware to compromise the software on the point-of-sale machines at these retailers’ physical locations. This approach may also be the method used in the latest Michaels’ heist and is different than the attack that struck the crafting retailer in 2011, as compromising the software behind the point-of-sale device doesn’t require the criminal to physically enter the store and tamper with the machines. As a result, this time around cybercriminals were able to steal data at what appears to be a nationwide level, versus the more localized scam of 2011.

With the increase of point-of-sale attacks at many of the retail stores you know and love, what can you do to protect your data and financial well-being? Follow these steps below to get a leg up on cybercriminals:

  • Use one credit card for all shopping—both online and off. If you have a dedicated credit or debit card to use for all of your shopping, it will be easier to cancel it should one of the stores you shop at be attacked by cybercriminals. One-time use credit cards are also a good idea, especially for online shopping transactions. These cards, offered by many banks, are designed to protect your account from identity thieves.
  • Sign up for credit monitoring and identity theft protection if it’s offered. Both Target and Neiman Marcus are offering free credit monitoring and identity theft protection services. If Michaels ends up confirming this cyber attack, it’s likely they will offer a similar service to those affected.
  • Check and monitor your statements. If you shopped at a Michaels store recently, fraudulent charges may have already begun to show up on your statements. Go through your transaction history with a fine-tooth comb to be sure you’re not being taking advantage of.
  • Contact your bank if you notice suspicious activity. In the event that you do see odd charges on your credit or debit card statement, contact your bank immediately. They will be able to provide you with a list of next steps and cancel your card if necessary.

To continue to receive updates on this developing story and others like it, follow @McAfee_Home on Twitter and Like us on Facebook.

Gary Davis

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from Privacy & Identity Protection

Back to top