Search Results : Hancock Fabrics

Mar 052010

Hancock Fabrics today confirmed what had been reported in the media back in October and November of 2009: customers in a number of states had their debit and credit card data stolen by skimmers in some of the stores. The data theft occurred during the period of August-September, 2009, but reports of fraud did not appear in the media until October.

In a press release issued today, Hancock Fabrics said:

While the number of potentially affected stores involved in this situation is limited, the data accessed may have included customer information such as the name printed on a customer’s payment card, the card number, the card expiration date, and/or a PIN number when one was entered in a PIN debit transaction. It is important to note however that this theft does not involve customers’ social security numbers.

The company did not reveal the location or number of stores in which the compromised scanners were located, nor the number of customers who had reported fraudulent charges on their cards after using the cards at the stores, but as of November, there were at least 140 reports from victims in California, Wisconsin and Missouri. The company has posted an open letter to customers on its web site.

In March 2009, Hancock Fabrics was involved in another data breach when employee payroll records for their Huntsville, Alabama store were found unshredded in the trash behind the business. The payroll records, which went back to 2005, contained social security numbers, pay rates, and first and last names.

Nov 232009

Linda McGlasson reports:

Bank customers in California, Wisconsin and Missouri are reporting fraudulent ATM withdrawals that police say are tied to transactions conducted with the Hancock Fabrics retail chain.

In California, Napa Police Department spokesman Brian McGovern says 60 residents reported their cards being used by thieves….. At about the same time, as many as 70 Wisconsin victims reported suspicious ATM withdrawals from their accounts, according to Wood and Portage county law enforcement, which also ties the thefts to machines in Hancock Fabrics stores…. And in Missouri, at least 10 customers at Hancock Fabrics in the St. Louis area reported their debit card numbers and pin numbers stolen during the week of November 9.


Hancock Fabrics, Inc. operates 264 stores in 37 states and an Internet store. Stores are primarily located in strip shopping centers.

As of the time of this posting, Hancock has neither denied nor confirmed that they have experienced a breach.

Apr 192010

Linda McGlasson writes:

The Hancock Fabrics data breach continues to raise new questions about the security of point of sale (POS) devices at retail stores.

In March, the national fabric store chain publicly confirmed the breach it suffered last summer, sending an open letter to its customers, revealing: “PIN pad units at a limited number of Hancock Fabrics stores were stolen and replaced with visually identical, but fraudulent, PIN pad units. This may have allowed criminals to capture – or “skim” — payment card data during transactions.”

Hancock didn’t reveal the locations or number of stores where point of sale scanners were compromised — nor the number of customers who had their card data taken — but at least 140 reports from customers in California, Wisconsin and Missouri show the pervasive nature of the fraud.

The lesson here: It is relatively easy for fraudsters to tamper with or even swap out POS PIN Entry Device (PED) pads, and these types of incidents are likely to increase, putting retailers, consumers and banking institutions at risk of future card-related fraud.

“These incidents are part of an ongoing trend where criminals are targeting non-PCI and PED-compliant point of sale terminals with devices installed to capture cardholder data,” says Mike Urban, Sr. Director of Fraud Solutions at FICO.


May 112011

As noted yesterday by Brian Krebs, the Michaels Store breach appears to be significantly larger than what was originally reported on May 4.  NBC in Chicago reports:

The Irving, Texas-based company reports it removed 7,200 PIN pads from stores as a precautionary measure. Of those removed, less than 90 devices (or 1percent of the total devices) were identified as being compromised.

“The company has commenced replacing these PIN pads in all US stores,” Michaels said in an official statement, “and expects the replacement to be completed within the next 15 days.”

The list of 20 states with PIN pad tampering includes Illinois, Georgia, North Carolina, Ohio, Virginia, New Mexico, Iowa, Delaware, Colorado, Pennsylvania, Rhode Island, Utah, New Jersey, Nevada and Washington.

Gregory Karp of the Chicago Tribune adds:

llinois was hit the hardest, with PIN pads compromised in 14 Michaels stores, all in the Chicago region. They are Bloomingdale, Burbank, Chicago Ridge, Downers Grove, Glenview, Gurnee, McHenry, Mount Prospect, Naperville, Niles, Norridge, Skokie, Vernon Hills and Willowbrook.

The fraud attack has led many banks to proactively freeze bank accounts of customers they think may be vulnerable. For example, Marquette Bank, with 24 branches in the Chicago region, said 1,900, or 3 percent, of its customers were identified as potential victims, meaning they made a PIN-based debit card transaction at Michaels over the past six months.

“We were able to identify fraud early, before Michaels went public with their data breach, so we were able to avoid large losses,” said bank spokesman Jeff McDonald. The bank posted warnings on its Web page and on social media site Twitter, while it also called customers, sent letters and began proactively replacing debit cards of some customers. “Unfortunately, we have become experts in addressing these issues quickly with minimal customer inconvenience after dealing with past retail store breaches,” he said.


Credit Union 1 recently posted a warning on its website: “Due to an enormous surge in fraudulent ‘Pin based’ ATM transactions in California throughout the financial industry, Credit Union 1 has shut down the availability of ‘Pin based’ ATM transactions in California only. Effective immediately, when a ‘Pin based’ transactions occurs in California, your Credit Union 1 Visa Debit card will be ‘flagged and will not be able to be used again.”

A list of stores known to be affected are included in Michaels Stores’ official statement on pages 2 and 3.

This whole incident is reminiscent of the breaches involving  Hancock Fabrics and ALDI.