On Saturday, Chuck Rubin the CEO of Michaels Stores released a statement to its customers that the retailer probably experienced a data breach:
"... We recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting we may have experienced a data security attack. We are working closely with federal law enforcement and are conducting an investigation with the help of third -party data security experts to establish the facts. Although the investigation is ongoing, based on the information we have received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, we believe it is appropriate to notify our customers that a potential issue may have occurred..."
The "recently learned" portion of the statement probably refers to a Krebs On Security blog post. Sources from four different banks reported frauluent charges affecting hundreds of customers, that traced back to Michaels stores.
Similar to the massive Target stores data breach, the U.S. Secret Service is also involved. Michaels is the third retailer to have experienced a data breach during the past two months or so. While Neiman Marcus confirmed earlier this month that it had experienced a data breach, the retailer announced few details.
In May 2011, criminals hacked the point-of-sale registers at Michaels stores in Chicago. A subsequent investigaton found hacked terminals in stores in at least 20 states. In 2011, the retailer replaced 7,200 PIN pads in its stores. In March 2013, this blog reported about a questionable and restrictive return policy by Michaels stores.
Michaels customers should read the full January 25 statement (Adobe PDF). It advises shoppers to be vigilant (e.g., check your bank accounts and credit/debit-card bills for fraudulent charges). Michaels will provide updates at its Web site. Shoppers with questions about the data breach can also call the retailer toll-free at 1-877-412-7145 from Monday through Saturday from 8:00 am to 11:00 pm CST, and Sundays from 8:00 am to 8:00 pm CST.
Obviously, there will be a lot more news coming about this data breach.