Thieves Getting Crafty: Michaels Hit By Possible Data Breach

Another day, another data breach. At least, that’s how it’s starting to feel as more and more U.S. companies report that customer data has been accessed, stolen or compromised after credit or debit cards were used in-store. As January came to an end, Michaels – the nationwide craft store that, like glitter, often seems to be everywhere – issued a press release announcing “possible fraudulent activity on some U.S. payment cards that had been used at Michaels.” The statement continues:

Customers are being urged to double-check card statements and be on the lookout for unusual activity.

It didn’t take long for the now well-oiled cogs to start turning. On Monday, January 24, Secret Service spokesman Edwin Donovan confirmed to Reuters that the agency is investigating the breach, although Michaels has not yet confirmed that its systems have been compromised. And now, attorneys across the country are considering class action lawsuits over the breach.

It’s a sign of the sheer scale of the problem that an unconfirmed breach is enough to warrant a public warning , the interest of a government security agency, and the interest of attorneys. Customers are being urged to double-check card statements and be on the lookout for unusual activity. Unfortunately, there’s no word yet on how many might be affected, or the dates between which card information may have been accessed.

Michaels CEO Chuck Rubin is keen to reassure customers that the company is taking the possible breach as seriously as possible. “The privacy and security of our customers’ information is of critical importance to us and we are focused on addressing this issue,” Mr. Rubin said. Still, this could be the second data breach to hit Michaels within the last few years; in 2011, in-store card readers at more than 7000 Michaels stores nationwide were tampered with in an effort to gain customers’ card information. Although this new breach remains only a possible breach, Krebs on Security, Brian Kreb’s leading cybersecurity blog, reported in January that:

Worrying stuff indeed. There’s one good thing, though; if you’d like to read more about data breaches, you’re in luck – there’s no shortage of news. Target continues to investigate a breach that jeopardized the information of millions of customers, several major hotel chains reported in February that customers’ information may have been stolen, and Neiman Marcus announced recently that it, too, is working with Secret Service personnel to investigate the theft of 1.1 million credit and debit card numbers.

If companies systems have been accessed by criminals, there’s not a lot that customers can do on their end to improve security. At the moment, online purchases seem to be unaffected, with data breaches affecting only customers who used cards to pay in-store. You can always pay in cash, of course, though this becomes impractical. The best advice seems to be to check your bank statements and flag any unusual or unauthorized payments as fast as possible. In the case of the Target breach, many banks chose to issue new cards to affected customers. Either way, the impetus has to be on the companies, and not their loyal customers, to ensure all transactions are safe and secure. If they can’t promise that, then there’s some serious soul-searching to be done in the U.S. corporate world.