Crafts retailer Michaels is investigating data breach

1/25/2014
BY NICOLE PERLROTH
NEW YORK TIMES

SAN FRANCISCO — In what may be the latest in a continuing spate of cyberattacks on U.S. retailers, Michaels Stores said today that it was investigating a potential security breach involving customers’ credit card information.

Michaels, an arts and crafts retailer based in Irving, Texas, said it was looking into reports of fraudulent activity on credit cards belonging to its customers. But the company said it had not yet confirmed a breach, and did not say how many credit cards were potentially compromised. The retailer operates more than 1,000 stores in the United States and Canada.

The Secret Service is investigating the breach, and is conducting separate inquiries of recent breaches at Neiman Marcus and Target.

“Although the investigation is ongoing, based on the information the company has received and in light of the widely reported criminal efforts to penetrate the data systems of U.S. retailers, Michaels believes it is appropriate to let its customers know a potential issue may have occurred,” the company said in a statement.

If the breach is confirmed, Michaels will be the third major retailer — after Target and Neiman Marcus — to confirm that its systems were compromised after an investigation by Brian Krebs, a security blogger, who first reported today that Michaels had potentially experienced a breach.

The recent breach at Neiman Marcus may have compromised more than 1 million of its customers’ payment cards, while the Target breach affected 70 million to 110 million people. In both cases, malware was installed on the retailers’ systems, feeding customers’ payment details back to criminals’ computer servers.

The breaches at Neiman Marcus and Target are believed to have been perpetrated by the same group of criminals in Eastern Europe, and to be part of a broader cyberattack directed at as many as six other retailers, according to two people investigating the breaches who were not authorized to speak publicly.