Security Risk Management

Arts and Craftiness: Data Breach at Michaels

Sonali Shah | April 19, 2014
I love shopping at Michaels. It allows people of all ages to express themselves. From paint by number kits, to beads and professional grade oils and varnishes, Michael’s sells products that allow us to, as Pablo Picasso said, “wash away from the soul the dust of everyday life.”

Unfortunately, something ugly has tarnished the canvases of the artists and crafters who used their debit or credit cards to shop at Michaels from May 8, 2013 to January 24, 2014. In late January 2014, Michaels announced that it was investigating a potential security breach involving customers’ credit card information. After weeks of analysis, Michaels finally confirmed yesterday that a targeted attack did indeed occur on some of their point of sales systems and that approximately 2.6 million cards may have been compromised.

At BitSight, we have observed significant botnet activity on Michael’s network over the past year.  In particular, we observed multiple instances of Conficker, a botnet that can completely compromise system confidentiality, integrity, and availability. BitSight also observed multiple instances of Zeus, Defid, ZeroAccess and Neurevt infections.  Neurevt is known to steal sensitive data from a compromised machine and to connect to remote servers to enable attacker access to the infected machine. ZeroAccess, also known as max++ and Sirefef, is used for Bitcoin mining, click fraud, and opening backdoors on compromised machines, which allows a remote attacker to gain control of the machine.

As discussed in our January 16th post, many retailers were infected by these malware strains. However, what is particularly disturbing about Michaels is the average length of time between when a security incident was first observed by BitSight to when it was last observed. We call this metric “Event Duration” and use it as a proxy to measure how quickly a company identifies and remediates security incidents. The average event duration over the past year at Michaels is 172% longer than the average of companies in the S&P 500 (excluding telecommunications companies). While the average is 6.7 days, we observed a few Conficker infections that persisted for over 300 days.


There are at least two lessons to be learned here. First, evaluating a company’s security posture from the outside can be just as valuable as examining it from the inside. Whether or not the activity observed by BitSight was indeed related to the breach, the fact is that we did observe increased malicious activity leading up to the breach period. Second, once malware has entered an organization, it can continue to cause harm long after the original incident has been removed. In the case of Michaels, as occurred at Target, the initial infection likely started off elsewhere, and then found its way to the point of sale system.

A company can never be done securing itself. It’s an ongoing process that requires constant monitoring and adaptation. Leonardo da Vinci once said, “Art is never finished, only abandoned.” In this case, security does not seem so different from art.

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...


Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...


Subscribe to get security news and updates in your inbox.