Retailer Michaels fails in access management, falls to data exposure
February 4, 2014

Several high-profile data breaches have struck retailers in the past several months, with the most recent one being the highly damaging attack on Michaels stores. Although experiencing a monumental breach such as this one or the breach Target faced toward the end of 2013 is often devastating for the victimized firm, others in the retail sector should view it as a clear sign that identity management capabilities must be expanded upon as soon as possible.

Privacy protection and data security are intrinsically contingent upon exceptional authentication practices and general oversight of information governance. With the right combination of policies and solutions, retailers, as well as organizations in virtually every other industry, can more proactively defend themselves from the damages of breach.

Owners speak
PC Magazine recently reported that the Michaels breach is still under investigation, but that executives from the retail giant have already issued warnings and announcements to customers regarding the gravity of the situation.

"As you may have read in the news, data security attacks against retailers have become a major topic of concern. We recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting we may have experienced a data security attack," Michaels Chief Executive Officer Chuck Rubin stated, according to the news provider. "We are working closely with federal law enforcement and are conducting an investigation with the help of third-party data security experts to establish the facts. Although the investigation is ongoing, based on the information we have received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, we believe it is appropriate to notify our customers that a potential issue may have occurred."

It has yet to be determined just how many people are at risk, but many parties are getting involved in the investigation to expedite the process. What has been established is that the company's customers are at risk of serious fraud because of a lapse in access control and security. 

Other retailers should recognize how Michaels failed to discover a breach of its own systems, and had to be alerted to the issue by outside parties. 

Lawsuit emerges
Although the news about the Michaels breach only broke a couple of weeks ago, a customer that was impacted by the failed security process has already sued the firm, Bloomberg reported recently. According to the news provider, the attack has yet to be confirmed outright, but the U.S. Secret Service is currently investigating fraudulent activity that is believed to have stemmed from Michaels stores.

This chain, the source noted, is the largest arts-and-craft retailer in the world, based in Texas and operates more than 100 stores across the United States. Previous reports had indicated that the retail giant did not even discover the breach on its own, but rather was tipped off to the event by banks and payment processors which had seen a consistent uptick in fraud impacting their customers who also frequented Michaels stores.

Bloomberg explained that a customer who lives in Illinois is taking the lawsuit to federal court, alleging that the company had not done its part to protect her information, which is now at risk of leading to identity theft and fraud. From initial reports, this might be a trend, as many other customers are expected to step forward and potentially launch a class-action lawsuit against the store.

More effective measures to protect customer information could have likely prevented this event from occurring, and this is yet another example of just how devastating a breach can be to a brand.