After Target and Neiman Marcus, Michaels Stores is the next in a line of U.S. retailers to reveal that it is investigating a possible security breach that may have resulted in the compromise of customer payment cards.
Details are sparse as an investigation is ongoing, but Michaels CEO Chuck Rubin made the announcement on Saturday, shortly after technology writer Brian Krebs reported that the retailer was investigating a breach.
According to a notification letter being sent to impacted customers, Michaels only recently learned of possible fraudulent activity on cards that had been used in its stores. The letter does not say how many customers may have been impacted, does not explain what might have happened and when, and does not reveal when Michaels first learned an incident may have occurred.
“We are working closely with federal law enforcement and are conducting an investigation with the help of third-party data security experts to establish the facts,” Rubin said in the letter, also indicating that Michaels will offer free identity theft protection and credit monitoring services if an incident occurred.
“This should be a huge wake up call for companies to think about security from an 'inside-out' perspective, assuming the bad guys are already on the network,” Eric Chiu, president of HyTrust, told SCMagazine.com in a Monday email.
He added, “Access controls, role-based monitoring and data encryption are critical to ensure that data is protected from attackers that might be on your network.”
With all breaches of payment card data, Chiu recommends that impacted customers monitor their accounts, particularly for smaller charges, as those can be indicative of an attacker checking to see if a card has been canceled. Chiu also recommends changing PIN data and being wary of phishing emails that tend to circulate following these types of incidents.
Since Target announced that 40 million payment cards, among heaps of other information, were compromised in a breach of its point-of-sale (POS) machines, several reports have come out that reveal attackers used a piece of memory-scraping malware known as KAPTOXA to compromise the POS devices.
According to a Thursday Reuters report, the FBI has warned U.S. retailers that companies should be expecting more payment card breaches, particularly due to the accessibility of these types of malware. The FBI discovered roughly 20 of these types of cases in the past year, the report adds.
“Last year saw an increase in cases of fraud at the point of sale, and this is one of the reasons why certain industry commentators have called for reconsideration on the use of Chip and PIN at the point of sale,” Steve Durbin, global vice president of the Information Security Forum, told SCMagazine.com in a Monday email.
Durbin added that these types of incidents underscore a need for organizations to better protect data, to plan for losses of such data, and to have resilience and recovery plans in place.
[An earlier version of this story has been updated to clarify that Michaels is investigating a possible breach, not that the breach actually occurred].