Initially, Michaels Stores, an Irving, Tex.-based arts and crafts chain, announced that customer debit and credit card numbers and PINs had been stolen through PIN-pad tampering at its Chicago area stores. Reports from Chicago area media indicated that law enforcement had received fraud reports from consumers who had purchased items from Michaels using credit cards.
But on May 10, Michaels said that around 90 PIN pads at stores throughout the US had been tampered with. The company disabled and quarantined suspicious PIN pads and removed around 7,200 of them from its stores. The company is also screening PIN pads at its Canadian stores.
“The company has commenced replacing these PIN pads in all US stores and expects the replacement to be completed within the next 15 days. Until the new upgraded PIN pads are installed, customers may have their credit and signature debit transactions processed on the store register”, the company explained.
The company did not disclose how many customers may have had their credit and debit card information compromised as a result of the PIN pad tampering.
Michaels said it is working with credit card brands and issuers "to identify the accounts that may have been compromised, so issuers can employ enhanced fraud security measures immediately on potentially impacted accounts." In addition, the company said it is assisting federal and state law enforcement authorities with their investigation.
There are a number of ways thieves steal PIN pad information, including placing an electronic skimming device or bug on the machines that captures card information or PINs. In some cases, thieves or accomplice employees can swap out the entire PIN pad with one that captures data, Derrick Golden, a spokesperson for the US Secret Service’s Chicago field office, told the Chicago Tribune.