Michaels finally confirms massive POS hack (Aaron Bros. as well)

Michaels -- Where Hacking Happens (again)

Crafty hackers hack craft stores -- again.

Michaels Stores (NYSE:MIK) has finally confirmed the details of the point-of-sale hack revealed in January. It's unclear what's taken them so long -- the company claims the hack was "highly sophisticated," but everyone uses a blah-blah phrase like that.

Your humble blogwatcher notes that the problem persisted for more than a month after the news first broke. smh.

In IT Blogwatch, bloggers are aghast that, for the second time, the company's POS was hacked -- lasting almost nine months.

Your humble blogwatcher curated these bloggy bits for your entertainment.


"I told you so," Brian Krebs seems to say:

Nationwide arts and crafts chain Michaels Stores Inc. said today that two separate eight-month-long security breaches...may have exposed as many as 3 million customer credit and debit cards. [They're] the first real details about the breach since the incident was first disclosed by [me] on January 25.

The Michaels breach first came to light just weeks after retail giant Target Corp. said that cyber thieves planted malware on cash registers at its stores. [And it's] the second time in three years that Michaels Stores has wrestled with a widespread compromise. ... In May 2011, Michaels disclosed that crooks had physically tampered with some point-of-sale devices...across the country, from Washington, D.C. to the West Coast.  MORE


Lehar Maan and Devika Krishna Kumar report from offshore, oddly:

Michaels Stores Inc, the biggest U.S. arts and crafts retailer [said] there was no evidence that data such as customers' name or personal identification number were at risk.

[It's] major investors are Blackstone Group LP and Bain Capital LP. [It] resubmitted its IPO documents late last month following a restructuring. [It] owns several private brands such as Recollections, Artist's Loft and Loops & Threads, competes with Hooby Lobby Stores Inc, Jo-Ann Stores Inc and Wal-Mart.  MORE


So Michaels' faceless PR drones FAQ it up (the on-message phrase of the day appears to be "criminals using highly sophisticated malware"):

We previously informed our customers that we might have experienced a data security issue. ... After weeks of analysis, we discovered...Michaels stores in the United States and our subsidiary, Aaron Brothers, were attacked. ... The affected U.S. systems contained certain payment card information, such as payment card number and expiration date. ... We also have been working closely with law enforcement authorities and coordinating with banks and payment processors

The attack targeted a limited portion of the point-of-sale systems at a varying number of Michaels stores between May 8, 2013 and January 27, 2014...approximately 2.6 million cards may have been impacted.

Between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected...approximately 400,000 cards were potentially impacted.  MORE


But Ethan Hollinger sounds slightly sarcastic:

It's never anything simple, like plain incompetence or not following "best practices". In this case we're told it was "highly sophisticated malware."

Yeah, sure, because a store that sells low cost craft supplies like Michaels does is undoubtedly a "high value" target worthy of only the most advanced malware ever written.  MORE


Meanwhile, his name is Luka; he lives in Slovenia (yes, I think you've seen him before):

I noticed that this haul lasted about 9 months which makes me wonder is anyone was awake at Michaels during that time.  MORE


And Shea Hutchison is even more blunt:

Twice in two years? Are they even trying?  MORE

Computerworld Blogs Newsletter

Subscribe now to the Blogs Newsletter for a daily summary of the most recent and relevant blog posts at Computerworld.  

Shop Tech Products at Amazon