Thief Who Swiped 94,000 Credit Card Numbers At Michaels Stores In NY, NJ, CT, PA Sentenced

Jerry DeMarco reports an update to a breach previously covered extensively on this site over the past decade. A member of an ID theft ring that stole more than $600,000 from customers at Michaels stores in New York, Connecticut, New Jersey, Pennsylvania, and elsewhere was sentenced to 51 months in federal prison on Thursday. Jose “Tito” Salazar, age 45, of Riverside, CA was part of a crew that replaced card-reading terminals at the arts and crafts retailer with wireless imitations that they used to capture customers’ bank account numbers and PINs, Acting US Attorney for New Jersey Rachael A. Honig said. Read more on The White Plains Daily Voice.

Michaels Stores (finally) confirms breach affecting 2.6M cards at Michaels, 400K at Aaron Brothers

Michaels Stores, who announced on January 25 that they had been informed of a possible breach that they were investigating, has now (finally) confirmed the breach first reported by Brian Krebs. Posted on their web site today: In January, we notified you that we might have experienced a data security incident. We wanted you to know quickly so you could take steps to monitor activity on your payment card account. Since that time, we have continued our extensive investigation with the help of two independent, expert security firms. We have also been working closely with law enforcement authorities and coordinating with banks and payment processors to determine the facts. After weeks of analysis, we have discovered evidence confirming that systems of Michaels stores in the United States and our subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms. We want you to know we have identified and fully contained the incident, and we can assure you the malware no longer presents a threat to customers while shopping at Michaels or Aaron Brothers. Here are additional facts we have determined from our continuing investigation: The affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. There is no evidence that other customer personal information, such as name, address or PIN, was at risk in connection with this issue. Regarding Michaels stores, the attack targeted a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014. Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue. The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on Regarding Aaron Brothers, the Company has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware. The Company estimates that approximately 400,000 cards were potentially impacted during this period. The locations for each affected Aaron Brothers store are listed on The Company has received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers. […] Read their CEO’s full statement here.  The companion press release can be found here. Affected Aaron Brothers’ stores Affected Michaels stores And yes, the Michaels store I used my card at was involved, but damned if I remember what dates I used the card on. I guess I’ll have to wait to see if I get a notification letter from the card issuer. Post corrected to delete incorrect date of Brian Kreb’s disclosure of breach.  

Michaels Stores: two months later, no update?

On January 25, Michaels Stores issued a statement that began: Michaels Stores, Inc. (the “Company” or “Michaels”) recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack. The Company is working closely with federal law enforcement and is conducting an investigation with the help of third-party data security experts to establish the facts. Although the investigation is ongoing, based on the information the Company has received and in light of the widely reported criminal efforts to penetrate the data systems of U.S. retailers, Michaels believes it is appropriate to let its customers know a potential issue may have occurred. A similar notice was posted on Aaron Brothers’ web site. Aaron Brothers is an arts and framing chain of 152 stores, and is owned by Michaels Stores. It is now two months later, and there’s been no updated statement confirming or denying any breach. The statement on their web page about the alleged incident starts: At this time we are still unsure that an incident occurred, but we are working very hard to establish the facts, and promise to update this page as we have more information. but there is no date on that statement. So two months later, they haven’t found evidence of a breach? Some breaches can take months to detect, but is it possible this was a false alarm? So far, I haven’t seen any consumers complaining online about having become victims of card fraud after shopping at Michaels Stores. I’ll be curious to see their update when they issue it. In the meantime, a lawsuit filed against Michaels only two days after Michaels’ announcement seems to be adding more plaintiffs for a class action lawsuit, although none of them seem to be alleging they suffered any card fraud, and the basis for their suit seems to rely on Brian Kreb’s column and Michaels Stores’ January 25th statement that they were investigating the allegations.    

Michaels Stores Sued After Reporting Possible Data Breach

Andrew Harris reports: Michaels Stores Inc. (MIK:US), the world’s largest arts-and-crafts retailer, was sued by a customer for failing to safeguard data after the company said some payment-card information may have been used fraudulently. The Irving, Texas-based company said Jan. 25 that it “recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting the company may have experienced a data security attack.” Christina Moyer, an Illinois consumer, sued the company today in federal court in Chicago, accusing Michaels of breaching an implied promise to protect that information. Moyer claims she and other customers on whose behalf she filed the complaint must spend time and money to deal with the consequences. Read more on Bloomberg Businessweek. And yes, if you’re thinking, “Wait, they haven’t even confirmed there’s been a breach yet,” you’re right. So why this rush to a lawsuit? The case is Moyer v. Michaels Stores, 14-cv-561, U.S. District Court, Northern District of Illinois (Chicago).

Michaels Stores reports possible card breach

Brian Krebs has the scoop again. This time it’s Michaels Stores (yes, them again) that may have had a security breach. Read more on Having had the story start to leak out earlier, Michaels has now issued a statement: Michaels Stores, Inc. (the “Company” or “Michaels”) recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack. The Company is working closely with federal law enforcement and is conducting an investigation with the help of third-party data security experts to establish the facts. Although the investigation is ongoing, based on the information the Company has received and in light of the widely reported criminal efforts to penetrate the data systems of U.S. retailers, Michaels believes it is appropriate to let its customers know a potential issue may have occurred. “We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue,” said Chuck Rubin, CEO. “While we have not confirmed a compromise to our systems, we believe it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves, for example, by reviewing their payment card account statements for unauthorized charges.” Mr. Rubin added, “Throughout our 40-year history, our customers have always been our number one priority and we deeply regret any inconvenience this may cause. The privacy and security of our customers’ information is of critical importance to us and we are focused on addressing this issue.” Michaels will post information related to its ongoing investigation as appropriate on the Company’s website, About Michaels Irving, Texas-based Michaels Stores, Inc. is North America’s largest specialty retailer of arts, crafts, framing, floral, wall decor and seasonal merchandise for the hobbyist and do-it-yourself home decorator.

Two sentenced for role in Michaels Stores data theft and misuse

Two southern California men were sentenced in the U.S. District Court for the Northern District of California in Oakland for their roles in a scheme to defraud nearly 1,000 debit card holders by using stolen bank account information to withdraw money from ATMs. Eduard Arakelyan, 21, and Arman Vardanyan, 23, were each sentenced yesterday to serve 36 months in prison on bank fraud and conspiracy charges, and an additional, consecutive 24 months in prison for the identity theft charge. In addition, upon release from prison Arakelyan and Vardanyan were ordered to serve five years of supervised release and to pay $42,043 in restitution. Arakelyan and Vardanyan were each charged in a criminal information filed on March 5, 2012, in the U.S. District Court in Oakland, with one count of conspiracy to commit bank fraud, one count of bank fraud and one count of aggravated identity theft. On March 20, 2012, Arakelyan and Vardanyan pleaded guilty to these crimes in Oakland and U.S. District Judge Claudia Wilken pronounced the sentences. Arakelyan and Vardanyan admitted that in or about July 2011, they participated in a scheme to defraud bank account holders and financial institutions by obtaining 952 stolen bank cards and traveling to Northern California to withdraw from ATMs as much money as possible using these stolen bank accounts. According to court documents, Arakelyan and Vardanyan possessed two loaded firearms, a GPS device pre-programmed with ATM locations and eight mobile telephones, all to further their scheme. The information charged that these stolen cards were linked to a 2011 theft of a reported 94,000 debit and credit card account numbers from customers buying goods at 84 Michaels Stores Inc. stores across the United States. The perpetrators of that security breach replaced about 84 authentic personal identification number pads, used by the stores to process debit and credit card purchases, with fraudulent pads from which they downloaded customers’ banking information. After this breach, financial institutions reported tens of thousands of incidents of fraudulent activity linked to customers who had visited the affected Michaels stores. Arakelyan and Vardanyan are among those who executed one aspect of this scheme. Source: Department of Justice

(update) Michaels Stores Still PINned beneath Payment Card Skimming Lawsuit

Ah, I missed a ruling.  Thankfully, Brendon Tavelli didn’t. He writes: In May 2011, Michaels Stores reported that “skimmers” using modified PIN pad devices in eighty Michaels stores across twenty states had gained unauthorized access to customers’ debit and credit card information. Not a pretty picture for Michaels. Lawsuits soon splattered on the specialty arts and crafts retailer, alleging a gallery of claims under the Stored Communications Act (“SCA”), the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), and for negligence, negligence per se, and breach of implied contract. Late last month, U.S. District Court Judge Charles Kocoras ruled on Michaels’s motion to dismiss. Some claims were dismissed, but others survived. The opinion presents a broad-brush survey of potential data security breach claims, with some fine detail and local color particular to this variety of criminal data security breach. Read more on Proskauer Privacy Law Blog.

Michaels Stores hit with 2nd suit seeking class-action status [repost]

[repost] Becky Yerak reports: Michaels Stores Inc., which disclosed that its checkout-line PIN pads were tampered with in Illinois and 19 other states, has been hit with two lawsuits seeking class-action status by consumers alleging that the arts and crafts retailer failed to safeguard shoppers’ credit and debit card information and PIN numbers. The latest lawsuit was filed Friday in U.S. District Court in the Northern District of Illinois by Libertyville resident Mary Allen, who said an $18.16 purchase at a Michaels in Vernon Hills on March 15 led to more than $1,000 in unauthorized transactions. Read more in The Chicago Tribune.

(update) Michaels Stores finds tampered PIN pads in 20 states

As noted yesterday by Brian Krebs, the Michaels Store breach appears to be significantly larger than what was originally reported on May 4.  NBC in Chicago reports: The Irving, Texas-based company reports it removed 7,200 PIN pads from stores as a precautionary measure. Of those removed, less than 90 devices (or 1percent of the total devices) were identified as being compromised. “The company has commenced replacing these PIN pads in all US stores,” Michaels said in an official statement, “and expects the replacement to be completed within the next 15 days.” The list of 20 states with PIN pad tampering includes Illinois, Georgia, North Carolina, Ohio, Virginia, New Mexico, Iowa, Delaware, Colorado, Pennsylvania, Rhode Island, Utah, New Jersey, Nevada and Washington. Gregory Karp of the Chicago Tribune adds: llinois was hit the hardest, with PIN pads compromised in 14 Michaels stores, all in the Chicago region. They are Bloomingdale, Burbank, Chicago Ridge, Downers Grove, Glenview, Gurnee, McHenry, Mount Prospect, Naperville, Niles, Norridge, Skokie, Vernon Hills and Willowbrook. The fraud attack has led many banks to proactively freeze bank accounts of customers they think may be vulnerable. For example, Marquette Bank, with 24 branches in the Chicago region, said 1,900, or 3 percent, of its customers were identified as potential victims, meaning they made a PIN-based debit card transaction at Michaels over the past six months. “We were able to identify fraud early, before Michaels went public with their data breach, so we were able to avoid large losses,” said bank spokesman Jeff McDonald. The bank posted warnings on its Web page and on social media site Twitter, while it also called customers, sent letters and began proactively replacing debit cards of some customers. “Unfortunately, we have become experts in addressing these issues quickly with minimal customer inconvenience after dealing with past retail store breaches,” he said. […] Credit Union 1 recently posted a warning on its website: “Due to an enormous surge in fraudulent ‘Pin based’ ATM transactions in California throughout the financial industry, Credit Union 1 has shut down the availability of ‘Pin based’ ATM transactions in California only. Effective immediately, when a ‘Pin based’ transactions occurs in California, your Credit Union 1 Visa Debit card will be ‘flagged and will not be able to be used again.” A list of stores known to be affected are included in Michaels Stores’ official statement on pages 2 and 3. This whole incident is reminiscent of the breaches involving  Hancock Fabrics and ALDI.

Michaels Stores breach bigger than first reported

Brian Krebs reports that a breach involving Michaels Stores is not just a Chicago-area breach but is affecting stores nationwide: Earlier this month, arts & crafts chain Michaels Stores disclosed that crooks had tampered with some point-of-sale devices at store registers in the Chicago area in a scheme to steal credit and debit card numbers and associated PINs. But new information on the investigation shows that many Michaels stores across the country have discovered compromised payment terminals. Investigators close to the case, but who asked to remain anonymous because they did  not have permission to speak publicly, said that at least 70 compromised POS terminals have been discovered so far in Michaels stores from Washington D.C. to the West Coast. Read more on