PIN-pad tampering at Michaels Stores Inc. occurred over a three-month period and so far has affected "fewer than 100" customers' debit card accounts, but credit card data also may have been exposed, the retailer said Friday.
Evidence so far suggests transactions initiated through compromised Michaels payment terminals occurred between Feb. 8 and May 6, the national craft-store chain said in a press release.
Credit card information also may have been exposed during that time, but so far no reports have emerged of related credit card fraud, the Irving, Texas, retailer said.
Michaels on May 5 began notifying consumers of PIN-pad tampering at its stores and immediately disabled the affected devices. At least 90 payment terminals in stores across 20 states were affected, and Michaels said it is replacing PIN pads in all affected stores with upgraded equipment. That process will be complete by the end of the month, the company said.
Michaels "has removed the PIN-pad tampering threat" from its U.S. stores, although it continues to urge customers to check their accounts for unauthorized transactions, the company said.
"We are confident Michaels is a safe place to shop," John Menzer, Michaels' chief executive, said in the release.
Michaels has not revealed details about what brand or type of payment terminals were compromised or how criminals altered the PIN pads, but the company said it is working closely with payment card brands and issuers to identify accounts that may have been compromised. The company also is working with federal and state law-enforcement agencies.
Analysts say the Michaels PIN-pad tampering incident likely will magnify the threat merchants and issuers face from potential gaps in payment card industry security protocols, but at least one expert said the Michaels terminal breach is unlikely to be easily replicated.
The incident may have been an inside job, in which the perpetrators had help from individuals who either had broad knowledge about and access to store terminals or who were highly savvy about Michaels' payment-processing systems, said Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., research firm Gartner Inc.
"To swap out 90 terminals in 20 states is too coordinated an effort to not suggest this was an inside job or that it was done at the server level," Litan said in an interview. "There are a variety of scenarios here, but it looks like a rather sophisticated attack. And until we know more details, it will be difficult to say how it could have been prevented."