This article is from the source 'washpo' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.washingtonpost.com/business/economy/michaels-says-nearly-3-million-customers-hit-by-data-breach/2014/04/18/3074e432-c6fc-11e3-8b9a-8e0977a24aeb_story.html?wprss=rss_homepage

The article has changed 6 times. There is an RSS feed of changes available.

Version 3 Version 4
Michaels says nearly 3 million customers hit by data breach Michaels says nearly 3 million customers hit by data breach
(about 3 hours later)
Michaels, the craft store chain that confirmed a data breach earlier this year, said nearly 3 million customers’ information had been stolen from its point-of-sale system, including from several Washington-area stores. Michaels has confirmed that credit and debit card information was stolen from 3 million customers who shopped at some of its stores during an eight-month period.
The company’s statement late Thursday said two security firms had found that criminals broke into Michaels’s system using “highly sophisticated malware that had not been encountered previously by either of the security firms.” The craft-store chain initially confirmed the data breach in January but gave few details of what occurred or how many customers were affected.
The malware has since been removed, the company said. In the update, released late Thursday, the firm said criminals broke into its payment system last year, targeting the point-of-sale machines.
Michaels posted a list of all affected stores on its Web site. The list includes 23 stores in Maryland and eight stores in Northern Virginia. The retailer does not have any locations in the District. A total of 2.6 million cards or 7 percent of cards used at Michaels stores during the breach period were affected. An additional 400,000 cards at its subsidiary Aaron Brothers were affected, the retailer said. The malware affected customers who used their credit or debit cards to shop at Michaels between May 8, 2013, and January 27, 2014, a total of 2.6 million cards, the company said. Data from an additional 400,000 cards at its subsidiary Aaron Brothers were stolen from those who shopped between June 26, 2013, and February 27, 2014.
Customers who shopped at Michaels between May 8, 2013 and January 27,2014 are vulnerable, as well as those who shopped at Aaron Brothers between June 2013 and February 2014. The retailer first confirmed that it had been breached on Jan. 25, after a report by security blogger Brian Krebs. The company’s statement did not say whether it warned Aaron Brothers customers who shopped there in February that their transactions could still be affected, and the retailer did not immediately respond to a request for comment. The stolen information at both stores includes credit and debit card numbers and expiration dates. Customer names, Personal Identification Numbers (PINs) and addresses were not affected, the company said. Michaels posted a list of affected stores on its Web site, which includes 23 stores in Maryland and eight in Northern Virginia. The retailer does not have any locations in the District.
News of the breach was first reported Jan. 25 by security blogger Brian Krebs. But the dates released by the retailer Thursday show that customers were vulnerable to attack for up to a month after the announcement. The company did not address the lag in its statement.
Michaels is one of several major retailers — including Target and Neiman Marcus — that were hit by cyberattacks during the past year. The breaches have sparked debates in Washington on the vulnerability of the nation’s magnetic-stripe payment card system and the need for a uniform breach-notification law that would require companies to tell their customers as soon as they discover an attack. Currently, companies are governed by a patchwork of state-level laws.
“This is just one more reason that we need federal data-breach legislation,” said Delara Derakhshani, policy counsel for Consumers Union, an advocacy group. “We have to raise the standards of accountability for retailers such as Michaels, Target or Neiman Marcus.”
Lawmakers have held hearings on Capitol Hill and floated multiple bills supporting federal legislation. Retailers and banks formed a working group this year to combine information and security measures that may help prevent attacks.
But there has been little progress on the issue.
“The ideal solution is going to be one that gleans from all of these bills,” Derakhshani said.
In its update to customers, Michaels did not elaborate on the nature of the attack but said criminals used a “highly sophisticated malware that had not been encountered previously” by either of the security firms investigating the breach. Michaels said it hired two independent security firms to investigate the attack — which is the company’s second data breach in three years.
The stolen information at Michaels and Aaron Brothers includes credit and debit card numbers and expiration dates. Customer names, Personal Identification Numbers (PINs) and addresses were not affected, the company said.
“With this incident now fully contained, we can assure customers this malware no longer presents a threat to shoppers at Michaels or Aaron Brothers,” Michaels chief executive Chuck Rubin said in a statement.“With this incident now fully contained, we can assure customers this malware no longer presents a threat to shoppers at Michaels or Aaron Brothers,” Michaels chief executive Chuck Rubin said in a statement.
Michaels said it would offer customers free credit monitoring services for one year. The company has received “limited reports” of fraudulent activity, he said, and is offering customers free credit-monitoring services for one year.
This is the company’s second security breach. The first incident occurred in May 2011, when criminals tampered with 90 PIN pads at stores across the country to steal customers’ payment card information. The retailer’s last breach occurred in May 2011, when criminals tampered with 90 PIN pads at stores across the country to steal customers’ payment card information. At the time, the company said fewer than 100 customers reported fraudulent activity as a result of the attack.
Michaels is one of several major retailers — including Target and Neiman Marcus — that were hit by data breaches last year. The attacks have cast a spotlight on the vulnerability of the nation’s magnetic-stripe payment card system as well as the necessity for a uniform breach notification law that would require companies to tell their customers as soon as they discover a breach. The current system is governed by a patchwork of state-level laws.
Retailers and banks formed a working group earlier this year to combine information and security measures that may help prevent future attacks.
More business news:More business news:
When should shoppers hear about hacks? It’s complicated.When should shoppers hear about hacks? It’s complicated.
Sally Beauty confirms data breach Sally Beauty confirms data breach 
Report: Target’s customer traffic hurt by data breachReport: Target’s customer traffic hurt by data breach
Hate shopping at these stores? You’re not alone.Hate shopping at these stores? You’re not alone.