Hackers breached the security of the arts and crafts retail chain Michaels and stole credit card data from almost three million Michaels' customers, according to an April 17 report in ABCNews. This hack lasted eight months and affected 7 percent of all cards used at Michaels.
Also, hacked were Michaels' subsidiary, Aaron Brothers (this retail chain also sells arts and crafts supplies). At Aaron Brothers hackers stole information on as many as 400,000 debit and credit cards, bringing the total number of cards affected by the Michaels' hack to three million.
The hackers were able to get customer data like card numbers and expiration dates using very sophisticated malware not previously seen. It does not appear that the hackers got customers' names or addresses.
The malware, which the hackers inserted to steal these three million card numbers and expiration dates, has now been removed by security firms. However, Michaels says that some of the stolen card numbers have been used fraudulently.
This massive hack of customer data at Michaels comes on the heals of a massive hack at Target, during the 2013 holiday shopping season. As a result of the Target hack, 40 million debit and credit card numbers were affected.
After the Target hack, the FBI warned retailers to get ready for more Target-like attacks because the affordable malware used for these kinds of hacks is easily available to those who know how to find it on the Dark Web—and the potential profits are huge. The Dark Web is the portion of the Web not indexed by search engines and is estimated to be hundreds of times larger than the Web seen through search engines like Google or Bing.
The hack at Michaels and Target used a similar strategy. Both the Michaels and Target hacks targeted their Point-of-Sale systems. The malware used in the Target hack was malware designed to find, save and send credit card and PIN numbers from the Michaels and Target check-out systems.
The malware used in the Target attack was “Trojan.POSRAM." When a customer swipes his debit or credit card at the register, this malware steals the customer's credit card or debit card number and its PIN from the magnetic strip on the card. It then sends this data to the hackers at specific times.
The hack at Michaels occurred between May 8, 2013 and Jan. 27. The hack at Aaron Brothers happened between June 26, 2013 and Feb. 27. Like Target before it, Michaels is providing free fraud assistance, identity protection and credit monitoring to its customers—and those of Aaron Brothers.