Michaels Stores Inc.’s potential losses from the debit PIN-pad breach that surfaced in early May continue to mount, as lawyers representing affected customers on May 26 filed another class-action lawsuit seeking damages. The retailer also warned shareholders in a regulatory filing that it cannot estimate its losses related to the incident.
The Irving, Texas-based crafts-supply chain on May 5 announced that criminals had tampered with up to 90 PIN pads over approximately three months at its stores across 20 U.S. states, resulting in the exposure of debit card numbers and PINs and theft of funds from certain customers’ accounts. The company says at least 100 customers’ accounts were affected (
The latest lawsuit, filed in U.S. District Court in the Northern District of Illinois, seeks class-action status for any U.S. resident who made a purchase at any Michaels crafts-supply store nationwide using a debit or credit card swiped through a PIN pad on or after Jan. 1, 2011.
The suit states that Mary Allen of Liberty, Ill., used her Harris Bank debit card in mid-March to buy $18.16 in goods at a Michaels store in Vernon Hills, Ill. When Allen attempted to withdraw cash from her ATM, her transaction was denied because of suspicious account activity, including two unauthorized cash withdrawals of $503 each at ATMs in California. Allen reported the theft to police, but Michaels did not alert her to the breach, according to the lawsuit.
“Michaels’ lack of adequate security granted easy access to third parties who tampered with in-store PIN pads,” the suit states, enabling thieves to steal money from customers’ bank accounts. “In essence, Michaels’ security failure enabled cyber-pickpockets to steal customer financial data from within the retailers’ stores and subsequently loot the customers’ bank accounts from remote automated teller machines.”
The suit, filed by law firms Lite DePalma Greenberg LLC of Chicago and Faruqi & Faruqi LLP of New York, alleges Michaels was negligent and in violation of the Federal Stores Communications Act and the Illinois Consumer Fraud and Deceptive Practices Act.
Lawyers for Michaels customer Brandi Ramundo filed an earlier class-action lawsuit in the same federal court. That suit states that data thefts occurred between Feb. 8 and May 6, but Michaels did not notify customers of the problem until May 5, when it sent an e-mail alert to customers notifying them that their data “may have been” compromised.
“Based on the e-mail alert, Michaels apparently expected its victimized consumers to bear the fallout from its security breach, thereby thrusting upon the consumers a continuous burden of monitoring their bank accounts and credit histories,” that suit states.
Moreover, Ramundo was not among the customers Michaels initially notified of the breach. Ramundo used her Fifth Third Bank debit card on April 18 to purchase merchandise from a Michaels store, and another store rejected the card when she tried to use it May 3, the case states.
Law firms Belongia Shapiro & Franklin LLP of Chicago and Bursor & Fisher P.A. of New York filed the suit on Ramundo’s behalf.
In its quarterly 10-Q filing with the Securities and Exchange Commission on May 26, Michaels said it was aware of at least one lawsuit filed in the wake of the breach and noted that other entities might seek damages in addition to payment card companies and associations that may impose fines.
“We do not have sufficient information to reasonably estimate losses we may incur arising from the payment card terminal tampering,” Michaels said.
Michaels also said in the filing that the Secret Service on May 3 notified it of suspicious activity in some of its customers’ debit accounts.
Analysts say Michaels could have lacked appropriate processes for detecting whether its PIN-pads had been tampered with (
Michaels on May 25 said all of its U.S. stores are now equipped with “tamper-resistant” payment card terminals. “In addition, we have implemented additional security measures to prevent this type of crime from reoccurring,” the company said in a statement.
What do you think about this? Send us your feedback.
