Michaels Security Push: Too Little, Too Late

Michaels Stores Inc. said it was in the process of upgrading its payment terminals to tamper-resistant models when it discovered its current terminals had been compromised, but some experts say the retailer should have realized the need for those upgrades a lot sooner.

The breach has since snowballed into massive legal headaches and potential losses for the retailer, forcing Michaels in short order to replace more than 7,000 terminals nationwide.

"The question is whether Michaels invested in tamper-proof payment terminals before they got broken into, and apparently they did not," said Paul Martaus, president and chief executive of the merchant acquirer consulting firm Martaus & Associates of Mountain Home, Ark. "For years processors have been advertising so-called tamper-resistant terminals, and while that's a fine idea, who would think that a company like Michaels, which caters to people making relatively small purchases for crafts and hobbies, would need the heaviest guns to protect against a widespread payment terminal attack?"

Michaels, like many other organizations, said it was in compliance with generally accepted procedures to prevent such a security breach.

"Michaels undergoes a third-party security audit annually to make sure we are compliant with current requirements and standards, and have always been found in compliance," a Michaels representative said.

The Irving, Texas, retailer on May 25 announced that every U.S. store was equipped with "new, tamper-resistant payment card terminals," adding that it also has "implemented additional security measures to prevent this type of crime from reoccurring." The company has not disclosed the brand of payment terminals involved in the breach nor which brands it deployed as replacements.

And while Michaels executives likely thought they reacted as quickly as possible to stanch losses from the tampering attack, attorneys planning class-action lawsuits are scrutinizing the time line of the company's actions and their potential success in the litigation could escalate the company's potential losses.

Michaels warned in a May 26 quarterly Securities and Exchange Commission filing that other entities might seek damages, and payment card companies and associations also may impose fines. "We do not have sufficient information to reasonably estimate losses we may incur arising from the payment card terminal tampering," Michaels said in the filing.

The sequence of events in the breach is likely to be crucial in determining the extent of losses and pinpointing Michaels' liability, according to legal experts.

Secret Service agents on May 3 disclosed the breach to store executives, who then found that crooks had physically altered the payment terminals at about 8% of the company's 964 stores nationwide, enabling them to skim sensitive data from customers' cards, capture PINs and steal money directly from payment accounts.

Some 90 terminals at 80 Michaels stores spread across 20 states were involved, and at least 100 customers' accounts were affected. Customers of at least a dozen different banks and credit unions reportedly lost funds when criminals used the stolen data to make unauthorized ATM cash withdrawals, but Michaels said that number could rise as more reports surface.

Credit card account data also may have been exposed, although Michaels has not reported any related fraudulent credit card transactions.

The crafts-supply chain notified customers of the breach within two days of discovering the tampering. It also removed approximately 7,200 devices in its U.S. and Canada stores within approximately two weeks.

So far, Michaels has not disclosed details about how so many terminals were compromised, but analysts said all signs point to an organized group of criminals. The company says it is working with law enforcement authorities to apprehend the conspirators.

Michaels deploys VeriFone payment terminals equipped with PIN pads in some stores, but the retailer declined to comment on its equipment and suppliers. VeriFone did not comment on whether it supplies terminals to Michaels.

Many observers questioned what defines a "tamper-resistant" terminal. Some question whether data-encryption systems promising to protect data from the moment a card is swiped until the transaction is processed would protect merchants from an attack such as the one Michaels experienced.

All U.S. payment terminals certified by the Payment Card Industry Security Standards Council are designed to be tamper-resistant, the organization said. Moreover, the council's PIN Transaction Security standard dictates that all payment terminals have strong physical and logical security factors, including "elements to determine whether someone has tampered with terminals," a council representative said.

Mike Kutsch, a principal with the consulting firm Payment Strategy LLC, said, "Until further details are available, it is difficult to know exactly what happened. But it's highly likely that the use of tamper-resistant terminals and 'end-to-end' data encryption would have prevented this specific breach."

Card-skimming crimes that originated with unattended gas station payment terminals and ATMs are on the rise, but "widespread tampering inside an attended [retail] environment has not been common to date," Kutsch said.

Many merchants also routinely fail to use basic processes to determine whether terminal tampering has occurred, said Jose Diaz, director of technical and strategic business development for the data security firm Thales e-Security Inc. of Weston, Fla.

In many cases, merchants' payment terminals are not securely bolted to counters, so they are relatively easy to remove from a store overnight for tampering without detection, Diaz said. "Payment terminal security is a very comprehensive task, and it's more than just assuming the terminal cannot easily be broken into," he said. "And the other element is installing terminals in such a way that if they are attacked, it will be detected somehow by cameras or other security or tracking systems."

Attorneys are exploring Michaels' data security gaps and how the breach might have been prevented.

One lawsuit, filed May 26 in U.S. District Court in the Northern District of Illinois, seeks class-action status for any U.S. resident who made a purchase at any Michaels crafts-supply store nationwide using a debit or credit card swiped through a PIN pad on or after Jan. 1, 2011.

"Michaels' lack of adequate security granted easy access to third parties who tampered with in-store PIN pads," the suit stated, enabling thieves to steal money from customers' bank accounts. "In essence, Michaels' security failure enabled cyber pickpockets to steal customer financial data from within the retailer's stores and subsequently loot the customers' bank accounts from remote automated teller machines."

The suit, filed by law firms Lite DePalma Greenberg LLC of Chicago and Faruqi & Faruqi LLP of New York, alleges Michaels was negligent and in violation of the Federal Stores Communications Act and the Illinois Consumer Fraud and Deceptive Practices Act.

Lawyers for a Michaels customer, Brandi Ramundo, filed an earlier class action in the same federal court. That suit alleges that Michaels failed to use "commercially reasonable" security measures, such as ensuring the physical security of its checkout line terminals and "inspecting and testing" terminals to protect debit and credit card information during point of sale transactions.

The law firms Belongia Shapiro & Franklin LLP of Chicago and Bursor & Fisher P.A. of New York filed the suit on Ramundo's behalf.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER