Protecting yourself, Research, regulation, industry reports, Shopping

The Michaels security breach could have been worse

Sienna Kossman

In the wake of numerous large-scale data security breaches affecting popular U.S. retailers and online websites, it’s no wonder that 50 percent of Internet users report increasing concerns about the exposure of their personal information online.

This number has risen in recent years, up from 33 percent in 2009, according to a Pew Research Center survey released April 14, and as approximately one of every five U.S. citizens reported their information digitally stolen online last year, up from one of 10 the year before, the concerns are valid, especially for those under the age of 65.

The Michaels security breach could have been worse

While the theft of sensitive consumer information is never a good thing, some of these concerning incidents may be more manageable for consumers than others, one of which is the most security breach involving the nation’s largest arts and craft store chain, Michaels Stores Inc.

Those affected by the Michaels security breach may still be at risk, but compared to victims of other incidents, such as those caught up in Target’s data breach or the Heartbleed Bug, they may not have as much to worry about because the hackers didn’t take as much information as they could have.

Michaels confirmed April 17 that two separate 8-month-long security breaches may have exposed debit and credit card numbers and expiration dates of as many as 3 million cards — 2.6 million Michaels cards and another 400,000 cards from its subsidiary Aaron Brothers. However, there is no evidence that the breach exposed customer names, addresses or PINs — unlike the Target and Heartbleed Bug incidents.

The more pieces of a consumer’s personal and financial profile a hacker acquires the more damage they can do.

Detailed consumer information profiles, called “fullz” by hackers, are sold in black markets to identity thieves who can then turn around and use them for fraud schemes. A fullz consists of a full set of information needed to steal an identity: your Social Security number, birthday, maiden name, account numbers and more. With it, thieves can open new lines of credit, access bank accounts or even move assets under your name.

Along with credit and debit card data, information obtained by hackers through the Target breach included names, mailing addresses, phone numbers and/or email addresses, affecting approximately 70 million consumers overall, according to Target’s corporate website. Similar pieces of personal information are also thought to have been exposed for the past two years through websites affected by the Heartbleed Bug as well.

The card-only information collected through the Michaels breach isn’t enough to create fullz. Credit card numbers alone aren’t worth very much to black market thieves. While fullz go for at least $20 on average per consumer, credit card numbers are usually only worth a few dollars, and that’s only if the numbers include the cards’ security codes, according to Dell SecureWorks.

With a credit or debit card number and expiration date, a thief could still attempt to make online purchases or track down more information attached to the cards but it doesn’t leave the doors as wide open for fraud possibilities as, say, what was exposed from Target’s databases, which flooded the black markets in the millions following the breach and continue to profit fraudsters today. The value and usefulness of the data decreases as consumers activate new card numbers and take other measures to protect themselves as time goes on, but some data packages have had great appeal and were sold for upwards of $100, according to KrebsOnSecurity.

Another possible silver lining of the Michaels data breach is that customers have a straightforward way to check if they are at risk. Although Michaels took three months to confirm the attack, since confirming the incident, Michaels has made a list of all affected stores available to customers online.

Such clarity is not always an immediate option with massive breaches, depending on the type of breach and whether or not the hackers dumped the retrieved information online, which makes it easier to track down more precisely who and what is affected. This was not the case with Target’s situation, according to Mashable’s Samantha Murphy Kelly.

Similar to the Michaels list of affected stores, organizations have been able to determine whether they have been affected by the Heartbleed Bug, but it’s not entirely clear when, what or how much information was taken if they were. That information is only beginning to trickle in.

If you think you may be affected by this breach, Michaels recommends calling your bank or card issuer to get a new card number and PIN number as the best fraud preventive measure in this situation. It also never hurts to check your credit report. The company also offers, through AllClearID, 12 months of free credit monitoring and fraud assistance services to consumers who shopped at the affected store locations during the breach time.

This may still seem like a pain, but the headache could be a lot worse wondering who has your name, address and birthday along the number of your debit card you used to purchase scrapbooking materials last fall.

Lastly, Michaels Stores Inc. has announced that the incident has now been fully contained and the malware is no longer present so for now, try and rest easy. Or at least easier. It could have been worse.

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, we ask that you do not disclose confidential or personal information such as your bank account numbers, social security numbers, etc. Keep in mind that anything you post may be disclosed, published, transmitted or reused.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.