DataBreaches.net

DataBreaches.net

The Office of Inadequate Security

Menu
  • Breach Laws
  • About
  • Donate
  • Contact
  • Privacy
  • Transparency Reports
Menu

Michaels Stores (finally) confirms breach affecting 2.6M cards at Michaels, 400K at Aaron Brothers

Posted on April 17, 2014April 17, 2014 by Dissent

Michaels Stores, who announced on January 25 that they had been informed of a possible breach that they were investigating, has now (finally) confirmed the breach first reported by Brian Krebs. Posted on their web site today:

In January, we notified you that we might have experienced a data security incident. We wanted you to know quickly so you could take steps to monitor activity on your payment card account.

Since that time, we have continued our extensive investigation with the help of two independent, expert security firms. We have also been working closely with law enforcement authorities and coordinating with banks and payment processors to determine the facts.

After weeks of analysis, we have discovered evidence confirming that systems of Michaels stores in the United States and our subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms.

We want you to know we have identified and fully contained the incident, and we can assure you the malware no longer presents a threat to customers while shopping at Michaels or Aaron Brothers.

Here are additional facts we have determined from our continuing investigation:

  • The affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. There is no evidence that other customer personal information, such as name, address or PIN, was at risk in connection with this issue.
  • Regarding Michaels stores, the attack targeted a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014. Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue. The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on www.michaels.com.
  • Regarding Aaron Brothers, the Company has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware. The Company estimates that approximately 400,000 cards were potentially impacted during this period. The locations for each affected Aaron Brothers store are listed on www.aaronbrothers.com.
  • The Company has received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers.

[…]

Read their CEO’s full statement here.  The companion press release can be found here.

Affected Aaron Brothers’ stores
Affected Michaels stores

And yes, the Michaels store I used my card at was involved, but damned if I remember what dates I used the card on. I guess I’ll have to wait to see if I get a notification letter from the card issuer.

Post corrected to delete incorrect date of Brian Kreb’s disclosure of breach.

 

Related Posts:

  • Michaels Stores: two months later, no update?
  • Michaels Stores reports possible card breach
  • Michaels Stores breach bigger than first reported
  • Michaels Alerts Customers of Potential Debit and…
  • Michaels Stores Sued After Reporting Possible Data Breach

Post navigation

← DOJ sends evidence preservation request to Domains by Proxy for details of CyberWarNews.info blogger
Moscow Hacker Faces Extradition Requests by U.S., Russia →

Sponsored or Paid Posts

This site doesn’t accept sponsored posts and doesn’t respond to requests about them.

Have a News Tip?

Email:

Breaches[at]Protonmail.ch
Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Telegram: @DissentDoe

Browse by News Section

Latest Posts

  • The Untold Story of a Massive Hack at HHS in Covid’s Early Days
  • Records reveal new information about Sweetwater Union High School District ransomware incident
  • HHS’ Office for Civil Rights Settles First Ever Phishing Cyber-Attack Investigation
  • Founder and Majority Owner of Cryptocurrency Exchange Pleads Guilty to Unlicensed Money Transmitting
  • Hackers hit Erris water in stance over Israel
  • Data breach by Addenbrooke’s Hospital reveals patient information
  • Millions of patient scans and health records spilling online thanks to decades-old protocol bug
  • Cybersecurity: Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements (GAO Report)

Please Donate

If you can, please donate XMR to our Monero wallet because the entities whose breaches we expose are definitely not supporting our work and are generally trying to chill our speech!

Donate- Scan QR Code   Donate!

Social Media

Find me on Infosec.Exchange.

I am also on Telegram @DissentDoe.

RSS

Grab the RSS Feed

Copyright

© 2009 – 2023, DataBreaches.net and DataBreaches LLC. All rights reserved.

HIGH PRAISE, INDEED!

“You translate “Nerd” into understandable “English” — Victor Gevers of GDI Foundation, talking about DataBreaches.net

©2023 DataBreaches.net