Michaels, the largest arts and crafts store in North America, has acknowledged it may be the latest victim of malware targeting point-of-sale (PoS or cash register) computers.
The company issued a statement on Saturday after indications from card processors and law enforcement that they had been compromised:
“We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue”
There have been rumors that more retailers than just Target and Neiman Marcus had been compromised by memory scraping malware and I am sure there will be more.
Numaan Huq of SophosLabs and I have been tracking this malware for more than three years and are preparing to present our research at this year’s RSA Conference.
I will demonstrate the malware and show how it intercepts credit cards before payment systems have the opportunity to encrypt the transaction.
In the last 90 days alone, Sophos has detected credit card theiving malware we call TRACKR on over 12,000 computers at more than 50 distinct locations.
This isn’t the first time Michaels has been the target of credit card theives. In 2011 the company discovered credit card terminals had been tampered with to allow criminals to “skim” credit details from its customers.
In its most recent 10-K SEC filing Michaels acknowledged financial risks to its business from “Damage to the reputation of the Michaels brand” (p.8), “Failure to adequately maintain security” (p.10) and pending privacy litigation over the abuse of customers’ ZIP codes.
Considering the company felt the need to alert its shareholders to the risk presented by hackers, malware and other payment related risks you would hope it might have spent more of its $4.4 billion in revenue to detect and prevent another incident.
If you shop at Michaels it would be prudent to carefully check your statements for any fraudulent activity and pay attention to the news as this story unfolds. It is always a good idea to watch your money, but this type of incident makes it even more important.
Payment terminal image courtesy of Shutterstock.
Everyone is tracking. In this case Sophos is tracking 12k systems. Why doesn’t anyone notify / publish a list of this type of information? This creates a potential wall of shame and most will then go ahead and clean up their systems to simply get off the list. It also gives consumers a place to look before doing business with someone, kinda like a consumer reports 🙂
Terry, it should be noted that these are systems we protected from compromise. This isn’t 12000 computers who were sending credit cards to criminals, but rather 12000 machines which would have if we hadn’t prevented them becoming infected.
Just got a call yesterday that my card has been compromised by Michaels.Would lik to take legal action against them is this possible