As noted yesterday by Brian Krebs, the Michaels Store breach appears to be significantly larger than what was originally reported on May 4. NBC in Chicago reports:
The Irving, Texas-based company reports it removed 7,200 PIN pads from stores as a precautionary measure. Of those removed, less than 90 devices (or 1percent of the total devices) were identified as being compromised.
“The company has commenced replacing these PIN pads in all US stores,” Michaels said in an official statement, “and expects the replacement to be completed within the next 15 days.”
The list of 20 states with PIN pad tampering includes Illinois, Georgia, North Carolina, Ohio, Virginia, New Mexico, Iowa, Delaware, Colorado, Pennsylvania, Rhode Island, Utah, New Jersey, Nevada and Washington.
Gregory Karp of the Chicago Tribune adds:
llinois was hit the hardest, with PIN pads compromised in 14 Michaels stores, all in the Chicago region. They are Bloomingdale, Burbank, Chicago Ridge, Downers Grove, Glenview, Gurnee, McHenry, Mount Prospect, Naperville, Niles, Norridge, Skokie, Vernon Hills and Willowbrook.
The fraud attack has led many banks to proactively freeze bank accounts of customers they think may be vulnerable. For example, Marquette Bank, with 24 branches in the Chicago region, said 1,900, or 3 percent, of its customers were identified as potential victims, meaning they made a PIN-based debit card transaction at Michaels over the past six months.
“We were able to identify fraud early, before Michaels went public with their data breach, so we were able to avoid large losses,” said bank spokesman Jeff McDonald. The bank posted warnings on its Web page and on social media site Twitter, while it also called customers, sent letters and began proactively replacing debit cards of some customers. “Unfortunately, we have become experts in addressing these issues quickly with minimal customer inconvenience after dealing with past retail store breaches,” he said.
[…]
Credit Union 1 recently posted a warning on its website: “Due to an enormous surge in fraudulent ‘Pin based’ ATM transactions in California throughout the financial industry, Credit Union 1 has shut down the availability of ‘Pin based’ ATM transactions in California only. Effective immediately, when a ‘Pin based’ transactions occurs in California, your Credit Union 1 Visa Debit card will be ‘flagged and will not be able to be used again.”
A list of stores known to be affected are included in Michaels Stores’ official statement on pages 2 and 3.
This whole incident is reminiscent of the breaches involving Hancock Fabrics and ALDI.