Michaels Arts & Crafts Confirms Data Breach

michaels-featuredNorth American retailer Michaels Arts & Crafts has just confirmed a data breach affecting 2.6 million credit cards swiped at nearly 1000 of their retail locations between May 8, 2013 and January 27, 2014. This confirmation comes after reports of an initial investigation into the breach that began nearly 4 months ago, and also extends to 400,000 credit cards swiped at 53 Aaron Brothers retail locations (a Michaels subsidiary) between June 26, 2013 and February 27, 2014.

What you should know

Michaels first announced that they were investigating a potential data breach back in January 2014, in a letter to customers from CEO Chuck Rubin. This letter did not reveal any details regarding the extent of the breach but did urge customers to keep a close watch on their credit cards.

This week’s confirmation has revealed the full nature of the breach:

  • A full list of affected Michaels locations is available for PDF download here.
  • A full list of affected Aaron Brothers locations is available for PDF download here.
  • Breached data at both locations is reportedly limited to credit card numbers and expiration dates, and does not include other information such as customer names.
  • Michaels has stated that as of April 17th, 2014 the breach has been contained.

What you should do

If you shopped at an affected Michaels or Aaron Brothers location between the dates that the breach occurred, the best thing you can do is cancel your credit card and get a new one – assuming you haven’t already done so.

Public confirmations of data breaches do help spread awareness to victims, but they also cause black market cybercriminals to sell stolen card numbers for lower rates. That means if your card number was compromised by the Michaels data breach, and you haven’t yet changed it, it is now at a higher risk of being frauded. Stolen credentials are no good to criminals if they are rendered void, and in the wake of this announcement instances of fraud are likely to surge because anyone with a stolen card number will want to “cash in” before that card is cancelled.

As yet, Michaels has not publicly disclosed specific information about the malware that was used in this attack, but if the last few months’ series of events is any indication, a POS RAM scraper is likely the culprit. More on this trend towards POS malware can be found here: Emsisoft Security Knowledgebase: What’s with all the Point of Sale Data Breaches?


Have a nice (malware-free) day.