Data breaches targeting retailers affect millions of customers
A data breach targeting Michaels – a national chain of arts and crafts stores – has possibly impacted more than two and a half million customers. This news comes on the heels of other major retailer data breaches and as consumer rights advocates are demanding greater accountability and protection from companies. Max Pringle reports.
The arts and crafts retailer Michaels announced Thursday that a malware attack may have affected some 2.6 million customers between May of last year and January. The company’s subsidiary, Aaron Brothers, also experienced an attack over the course of several months. The credit card data of an estimated 400 thousand Aaron Brothers customers may have been intercepted.
It’s the largest U.S. retailer data breach since Target announced a data breach involving millions of consumers’ credit and debit card numbers during the height of the last December’s shopping season. Companies like Neiman Marcus, Bloomingdale’s, Yahoo and others reported breaches soon after.
Christina Tetreault with Consumers Union says as more data is stored electronically, the attractiveness of that information to criminals has kept pace. She adds that Verizon, which publishes a report on data breaches found that in 2013, “61 percent of data breaches occurred at two types of institutions; financial institutions and retailers.”
“One of the causes is the phenomenal amount of data that is stored and retained for marketing purposes or other purposes that are not necessary to complete the transactions,” says Lenny Goldberg with the Privacy Rights Clearinghouse. A broad range of data stored for a long period of time makes it more vulnerable to hacking.
Richard Holober with the Consumer Federation of California says getting information out to the public quickly is critically important. He says Target got the word out fairly quickly that more than 40 million of its customers across the U.S. allegedly had their personal data stolen from their credit or debit cards. But, he says others took their time.
“In the case of Neiman Marcus, Bloomingdale’s and other affiliated stores, it would appear that a breach that occurred early in December, was kept quiet until after the Christmas shopping season was over,” says Holober. He added that the delay in notifying customers, “would have been for clear corporate purposes that are, in this case, at odds with the public interest.”
But Steve Schatz with the National Retail Federation says the industry spends billions each year on fighting cyber crime. Schatz says credit card issuers need to update out-of-date technology that’s vulnerable to fraud: “Private financial information is located on the magnetic strip of your card. Criminals know that they can get all the information they need by simply swiping that magnetic strip and basically monetizing your account.”
Schatz says the U.S. should adopt a pin and smart chip credit card standard much like those used in the EU, Canada and elsewhere. Those cards can only be used with the owner’s pin number and an electronic data chip integrated into the card.
The Federal Trade Commission has launched an investigation into the Target breach, which could lead to fines.
And the U.S. Senate Commerce Committee got into the act earlier this month by holding hearings on consumer data security. There are also several competing bills in Congress that seek to establish federal data breach security standards and protocols.
Michaels announced that the malware responsible for the data breach has been removed from its system. The retailer has also published a list of all its stores which were potentially affected.
(Photo credit: Brandon Dimcheff via his Flickr photostream. Used under Creative Commons license.)