Crafts retailer Michaels investigating possible data breach
Officials at arts-and-crafts retailer Michaels said they had not confirmed a breach and did not say how many credit cards were potentially compromised.
The New York Times
SAN FRANCISCO — In what may be the latest in a continuing spate of cyberattacks on U.S. retailers, officials at Michaels stores said Saturday they were investigating a potential security breach involving customers’ credit-card information.
Michaels, an arts-and-crafts retailer based in Irving, Texas, said it was looking into reports of fraudulent activity on credit cards belonging to customers. But company officials said they had not yet confirmed a breach and did not say how many credit cards were potentially compromised. The retailer operates more than 1,000 stores in the United States and Canada.
The Secret Service is investigating the breach, and is conducting separate inquiries of recent breaches at Neiman Marcus and Target.
“Although the investigation is ongoing, based on the information the company has received and in light of the widely reported criminal efforts to penetrate the data systems of U.S. retailers, Michaels believes it is appropriate to let its customers know a potential issue may have occurred,” the company said in a statement.
If the breach is confirmed, Michaels will be the third major retailer — after Target and Neiman Marcus — to confirm its systems were compromised after an investigation by Brian Krebs, a security blogger, who first reported Saturday that Michaels had potentially experienced a breach.
The recent breach at Neiman Marcus may have compromised more than 1 million of its customers’ payment cards, while the Target breach affected 70 million to 110 million people. In both cases, malware was installed on the retailers’ systems, feeding customers’ payment details back to criminals’ computer servers.
The breaches at Neiman Marcus and Target are believed to have been perpetrated by the same group of criminals in Eastern Europe and to be part of a broader cyberattack directed at as many as six other retailers, according to two people investigating the breaches who were not authorized to speak publicly.