Data Breach: Michaels Stores

Accessories for paintingMichaels Stores, Inc. is now reporting that two separate 8-month long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.  The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue.  Reportedly, the security firms Michaels hired to investigate the “break-ins” found nothing but the ultimate analysis confirmed the attacks “using highly sophisticated malware that had not been encountered previously by either of the security firms.”  In a press release dated April 17, 2014, the company states: “The Company has now identified and fully contained the incident, and the malware no longer presents a threat while shopping at Michaels or Aaron Brother.”  Following the disclosures regarding Target and Neiman Marcus, in January of this year, Michaels Stores had previously reported that it was investigating a potential security breach involving customers’ credit card information.

The Target breach involved thieves planting malware on cash registers; the malware was designed to siphon card data when customers swiped the cards at the cash register.  According to the information released by Michaels, it appears that the affected systems contained certain payment card information, card number and expiration date, but that there was no evidence that other customer personal information (name, address, debit card PIN) was at risk.

See press release:

See information regarding nature/scope of breach:



Class Action Suit Filed Against Barnes & Noble Over PIN, Credit Card Theft


Barnes & Noble gets sued over PIN “skimming” scam

On October 27, 2012, plaintiff Elizabeth Nowak filed a putative class action against Barnes & Noble (“B&N”) arising out of the PIN pad tampering incident reported by the company as of October 23, 2012 (see press release of October 24, 2012: ).

In its press release, Barnes & Noble advised that it detected tampering with PIN pad devices used in 63 of its stores.  The tampering was limited to one compromised PIN pad in each of the affected stores.  The B&N statement says that criminals planted bugs in tampered PIN pad devices and that it disconnected all PIN pads from its stores, nationwide, by close of business September 14, 2012.  The press release further advised that the company notified federal law enforcement authorities and it was “supporting” the investigation.

In the complaint, filed in the USDC for the Northern District of Illinois, plaintiff alleges that B&N’s security failures enabled skimmers to steal financial data within B&N stores, allowing for unauthorized purchases and putting the class members’ financial information at serious and ongoing risk ( skimmers – a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money, see  Plaintiff alleges that B&N failed to disclose the extent of the breach and failed to individually notify each affected customer.  Plaintiff asserts claims for breach of implied contract and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.

The individual plaintiff, Nowak, states that she shopped at a B&N store in Illinois prior to September 14, 2012 and that at on at least one of these occasions, she swiped her debit card through one of the store’s PIN pad terminals.  While plaintiff alleges that B&N customers are subect to continuing damage from having their personal information compromised, the allegations do not contain any specific reference to plaintiff’s alleged loss or injury from identity theft, credit card fraud, or other specific costs related to card reissuance or credit monitoring.  Plaintiff alleges that B&N failed to directly notify individual customers and that B&N was aware of the problem for six weeks before making a public announcement about the scam.  Plaintiff further alleges that B&N failed to post signs in each of its affected stores to notify returning customers that their financial information may have been compromised (plaintiff does not allege a specific violation of any breach notification statute, although the Illinois statute does allow for substitute notice if the cost of providing notice would exceed $250,000 or the affected class exceeds 500,000 –  substitute notice would not have included posting signs in the stores to notify returning customers that their financial information may have been compromised; substitute notice would only be through email, conspicuous posting on the entity’s website or notification to statewide media).

The Connecticut AG is interested:

See copy of lawsuit at:

Nowak v. Barnes & Noble