Nearly four months after it first reported it was investigating a data breach, the arts and crafts retail chain Michaels confirmed yesterday that most of its U.S. stores were compromised on and off for eight months and that payment card information of nearly three million of its customers may have been impacted.
The company operates more than 1000 stores across the United States and nearly all of them were breached, although the attack has been “fully contained” by now. According to a press release yesterday however, 2.6 million cards used at Michaels’ limited point-of-sale systems between May 8, 2013 and January 27, 2014, may have been compromised in the breach.
While some stores were only targeted once, others were targeted up to four different times, some for multiple months at a time, the longest gap spanning from May to October last year.
A lengthy 45-page document (.PDF) posted by the company yesterday runs down each store that was affected – more than 1,000 are listed – and how long users were exposed at each one.
Michaels downplayed the issue by pointing out that the number of affected cards only translates to roughly seven percent of payment cards used at its stores over the course of that time period.
As the point of sale systems contained information like customers’ credit or debit card numbers and expiration dates, they are the primary bits of information considered to have been compromised in the breach. The company insists however that customers’ names, addresses or PINs do not appear to have been breached at this time.
As many as 400,000 additional cards also appear to have been implicated in a separate breach that affected one of the company’s subsidiaries, the specialty framing and art supply chain Aaron Brothers. The same malware plagued 53 different Aaron Brothers stores (.PDF) between June 26, 2013 and February 27, 2014, mostly in California but also in Arizona, Washington, Oregon, Nevada, Colorado and Texas.
The news comes four months after the Irving, Texas, company announced it was investigating a potential data breach. Since then the company says it hired two security firms who were able to work in tandem with law enforcement, banks and payment processors to look into the issue.
While officials noticed the attack and were able to contain it at Michaels in late January it appears the attack at Aaron Brothers slipped by them, as malware continued to plague systems at those stores for another month afterwards, deep into February.
While similar, the Michaels data breach pales in comparison to this past winter’s Target attack, which affected the sensitive credit card information of over 40 million users. Like the Michaels attack, the Target attack, which came to light shortly before the new year, relied on hackers infecting the retail giant’s point of sale terminals with RAM scraper malware for several weeks, from Thanksgiving to mid-December last year.
In a blog post earlier this month experts at HP pointed out that while there has been an influx of retail credit card breaches – Target, Michaels, Sally Beauty Supply, etc. – there’s still no easy way to counteract these types of attacks since there’s only so many limits to what you can do with magnetic stripe technology.
“Memory scraping has become the new trend, but there is no easy way to defend against this technique as the magnetic stripe information is decrypted at some point,” Matt Oh, a Senior Malware Researcher with HP, pointed out. “This limitation with magnetic stripe technology and the history of cat and mouse between the credit card industry and the criminals tells us that it is time to adopt a new technology.”
*Michaels image via coolmikeoh‘s Flickr photostream, Creative Commons
A number of ICS products from Siemens and Innominate are vulnerable to the OpenSSL heartbleed flaw, some of which do not have updates available yet.
The list of products affected by the heartbleed vulnerability continues to grow by the day, with OpenVPN being one of the latest. A researcher on Friday said that he was able to extract a private key from a vulnerable OpenVPN server after hitting it with a large volume of requests over the course of several hours.
Now, the ICS-CERT has issued an advisory warning that several products from Siemens and one from Innominate are vulnerable to the heartbleed attack. The mGuard firmware from Innominate, versions 8.0.0 and 8.0.1 are vulnerable to the attack, but the company has issued an update that addresses the flaw.
Meanwhile, Siemens has identified a number of its products that contain the heartbleed vulnerability. The list of vulnerable products include:
- eLAN-8.2 eLAN prior to 8.3.3 (affected when RIP is used – update available)
- WinCC OA only V3.12 (always affected)
- S7-1500 V1.5 (affected when HTTPS active)
- CP1543-1 V1.1 (affected when FTPS active)
- APE 2.0 (affected when SSL/TLS component is used in customer implementation).
“A successful “HeartBleed” exploit of the affected products by an attacker with network access could allow attackers to read sensitive data (to include private keys and user credentials) from the process memory,” the advisory says.
By some estimates, OpenSSL is deployed on more than half of the SSL-protected Web servers worldwide, but that’s just one piece of the puzzle. The library also is used in embedded devices, industrial control systems and other systems, some of which are just coming to light now.