PIN-pad tampering at Michaels Stores Inc. occurred over a three-month period and so far has affected “fewer than 100” customers’ debit card accounts, but credit card data also may have been exposed, the retailer said May 13.
Evidence so far suggests transactions initiated through compromised Michaels payment terminals occurred between Feb. 8 and May 6, the Irving, Texas-based national craft-store chain said in a press release.
Credit card information also may have been exposed during that time, but so far no reports have emerged of related credit card fraud, the company said.
Michaels on May 5 began notifying consumers of PIN-pad tampering at its stores and immediately disabled affected devices. At least 90 payment terminals in stores in 20 states were affected, and Michaels said it is replacing PIN pads in all affected stores with upgraded equipment (
Michaels “has removed the PIN-pad tampering threat” from its U.S. stores, although it continues to urge customers to check their accounts for unauthorized transactions, the company said.
“We are confident Michaels is a safe place to shop,” John Menzer, Michaels CEO said in the release.
Michaels has not revealed details about what brand or type of payment terminals were compromised or how criminals altered the PIN pads, but the company says it is working closely with payment card brands and issuers to identify accounts that may have been compromised. The company also is working with federal and state law-enforcement authorities to identify and apprehend the fraudsters.
Analysts say the Michaels PIN-pad tampering incident likely will magnify the threat merchants and issuers face from potential gaps in payment card industry security protocols, but at least one expert believes the Michaels terminal breach is unlikely to be easily replicated.
It may have been an inside job, in which the criminals had help from individuals who either had broad knowledge about and access to store terminals or who were highly savvy about Michaels’ payment-processing systems, suggests Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn.-based research firm Gartner Inc.
“To swap out 90 terminals in 20 states is too coordinated an effort to not suggest this was an inside job or that it was done at the server level,” she tells PaymentsSource. “There are a variety of scenarios here, but it looks like a rather sophisticated attack. And until we know more details, it will be difficult to say how it could have been prevented.”
What do you think about this? Send us your feedback.
