Sign In

The Association for Convenience & Fuel Retailing

Skip Navigation LinksNACS Online / News & Media Center / News Archive

Michaels Stores' Data Breach Leads to Suits Seeking Class Action Status

Lawsuits allege violations of the Federal Stored Communications Act and the Illinois Consumer Fraud and Deceptive Practices Act.
June 2, 2011

CHICAGO - Michaels Stores Inc., which incurred a data breach last month when checkout line PIN pads were compromised in 20 states, has been hit with two lawsuits seeking class action status alleging the retailer failed to safeguard consumers€™ credit and debit card information, the Chicago Tribune reports.

The latest lawsuit was filed last week in Illinois by a Libertyville, Illinois resident who said an $18.16 purchase at a Michaels on March 15 led to more than $1,000 in unauthorized transactions.

"Plaintiff swiped her debit card through one of the tampered Michaels PIN pads and unwittingly had her debit card information and PIN number stolen as a result," the lawsuit said, adding that the company failed to ensure the security of its checkout line terminals.

"Michaels' lack of adequate security granted easy access to third parties who tampered with in-store PIN pads to ... 'skim' unwitting customers' debit and credit card information and subsequently steal money directly from the victims' bank accounts," said the lawsuit. "In essence, Michaels' security failure enabled cyber-pickpockets to steal customer financial data from within the retailer's stores and subsequently loot the customers' bank accounts from remote automated teller machines."

According to Michaels, fewer than 100 customer debit cards have been affected by the unauthorized capture of debit or credit card magnetic strip data.

Subsequent to the discovered breach, the lawsuit noted that on May 5, almost three months after the skimming began, Michaels sent an alert to Chicago-area customers informing them that their card information may have been compromised. It urged them to contact their bank or credit card company and seek guidance on how to protect their accounts in the event data were stolen.

"Based on the email alert, Michaels apparently expects its victimized consumers to bear the fallout from its security breach, thereby thrusting upon the consumers a continuous burden of monitoring their bank accounts and credit histories," the lawsuit said.

The lawsuit said the company also failed to send that alert to all customers.

"Michaels' email alert failed to provide timely and clear notification to anyone, thereby preventing customers from taking meaningful, proactive steps to secure their financial data and bank accounts," the lawsuit said.

NACS Anti-Skimming Solution
The WeCare decal۬is a tamper-evident label that can help retailers identify potential security breaches if skimming devices are inserted at fuel dispensers or other unattended PIN-entry devices. The labels can also help retailers address some of the PCI compliance mandates that are now required.

The security labels are to be used on fuel dispensers near the credit/debit card transaction area. If the label is lifted to insert a skimming device, a "void" message appears on the label, providing a visual alert to store employees so that additional action can be taken. Because the labels clearly indicate that they are to prevent tampering, the labels help assure customers that their data is secure, and discourage criminals targeting the store.

Protect your business and your customers €" order the WeCare decals for your stores today.

NACS also has a fact sheet that examines retailer concerns about card skimming.