Michaels, the largest arts and crafts store in North America, has acknowledged it may be the latest victim of malware targeting point-of-sale (PoS or cash register) computers.
The company issued a statement on Saturday after indications from card processors and law enforcement that they had been compromised:
“We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue”
Numaan Huq of SophosLabs and I have been tracking this malware for more than three years and are preparing to present our research at this year’s RSA Conference.
I will demonstrate the malware and show how it intercepts credit cards before payment systems have the opportunity to encrypt the transaction.
In the last 90 days alone, Sophos has detected credit card theiving malware we call TRACKR on over 12,000 computers at more than 50 distinct locations.
This isn’t the first time Michaels has been the target of credit card theives. In 2011 the company discovered credit card terminals had been tampered with to allow criminals to “skim” credit details from its customers.
In its most recent 10-K SEC filing Michaels acknowledged financial risks to its business from “Damage to the reputation of the Michaels brand” (p.8), “Failure to adequately maintain security” (p.10) and pending privacy litigation over the abuse of customers’ ZIP codes.
Considering the company felt the need to alert its shareholders to the risk presented by hackers, malware and other payment related risks you would hope it might have spent more of its $4.4 billion in revenue to detect and prevent another incident.
If you shop at Michaels it would be prudent to carefully check your statements for any fraudulent activity and pay attention to the news as this story unfolds. It is always a good idea to watch your money, but this type of incident makes it even more important.
Payment terminal image courtesy of Shutterstock.