Arts and crafts retail chain Michaels is dealing with a compromise of Point-of-Sale (PoS) systems its stores that resulted in credit card fraud across the country.
Independent IT security reporter Brian Krebs quotes sources familiar with the investigation as saying that at least 70 PoS terminals at different stores around the nation have been confirmed as compromised so far.
Earlier this month, the retail chain alerted [pdf] customers that PIN pads at its stores in the Chicago area have been tampered with and that credit and debit card information might have been compromised as a result.
The company learned of the problem after being contacted by banks and law enforcement authorities who noticed that some card fraud victims had purchases at Michaels in common.
It now appears that the breach is much larger, having affected thousands of individuals and amounting to millions of dollars in losses. The typical fraudulent withdrawals reported by victims are under $500 and originate d on the West Coast and Las Vegas.
It's not clear how the PoS devices were compromised, but one possibility is that they've been swapped with rogue ones when the store employees were not looking. This was the method used to compromise PoS systems at Aldi stores across eleven states.
The fraudsters are first gathering information about the devices used at the targeted stores, then they buy similar systems from China or somewhere else and modify them to record card magnetic stripe data and PINs.
Various methods are used to install them into stores. In some cases, the criminals posed as service personnel sent by the PoS systems provider to test for malfunctions.
It's not clear how long the rogue devices stayed in place, but consumers who bought from Michaels are advised to carefully monitor their credit card statements for suspicious activity.