

Michaels Stores: About 3M customer cards may have been exposed in a data breach - jborden13
http://bizbeatblog.dallasnews.com/2014/04/michaels-stores-said-about-3-million-customer-cards-may-have-been-exposed-to-a-data-breach.html/

======
colinbartlett
As first reported by Brian Krebs in January:
[http://krebsonsecurity.com/2014/01/sources-card-breach-at-
mi...](http://krebsonsecurity.com/2014/01/sources-card-breach-at-michaels-
stores/)

------
tedchs
I don't understand breached retailers offering "identity theft and credit
monitoring solutions" just because CC data was leaked. The big winners are
Equifax/Experian/Transunion and "security companies" who now get to sell
Michael's, Target, etc. multiple millions of dollars in services that just
hurt their bottom line and/or increase prices for consumers.

It's not like Michael's and Target, both of which I shop at, have the magic
"shared secret" of SSN, address, and DOB. It's just a credit card. Worst case
scenario, some transactions show up that I didn't authorize, and I report it.
Credit card fraud is not the same as "identity theft"!

------
PhantomGremlin
It's never anything simple, like plain incompetence or not following "best
practices". In this case we're told it was "highly sophisticated malware".

Yeah, sure, because a store that sells low cost craft supplies like Michaels
does is undoubtedly a "high value" target worthy of only the most advanced
malware ever written.

~~~
freehunter
You don't have to be a high value target to be a target, you just have to be
online, vulnerable, and have something worth taking. Most companies fall under
that umbrella. Likewise, highly sophisticated malware doesn't mean that
someone wrote the most advanced malware ever, just that Michaels was protected
yet still vulnerable in some way. All it took was finding out how, and that's
not easy either. Heartbleed is dead simple, but still took years to discover,
for example.

Information security is hard. You have to be right 100% of the time, while the
attackers only have to be right once. Best practices and competence will only
get you so far. If someone wants to get in and you were only 99% right, they
WILL get in. Its just a matter of time.

