Hagens Berman Sobol Shapiro LLP, a consumer-rights law firm, has announced it is investigating a network breach resulting in loss of customer data at Michaels Stores, following the craft-supply chain’s announcement that attackers may have breached its systems, despite warnings of network vulnerability from a noted security expert.
The consumer data breach involves the store’s Point-of-Sale (POS) systems. According to the firm’s investigation, the retail chain was aware that such a breach could happen but ignored warnings.
“Michaels knew that its POS systems were vulnerable to attack. Dr. Neal Krawetz, a cyber-security expert, published a white paper in August 2007 alerting major retailers, including Target, to the risk of POS cyber-attacks,” said Tom Loeser, a Hagens Berman partner and former federal prosecutor in the Cyber and Intellectual Property Crimes Section of the U.S. Attorney’s Office in Los Angeles.
The firm has already filed a case against Target Corp. (NYSE: TGT), in the U.S. District Court for the Northern District of California, alleging the company is liable for consumers’ losses. That complaint states that Dr. Krawetz alerted Target and other major national retail chains about their vulnerability to attack in a white paper outlining POS security issues. The paper warned that security shortcomings in POS systems could put the financial information of consumers at risk.
“Logs from Dr. Krawetz’ website indicate that someone at a Michaels internet domain address downloaded his white paper on August 13, 2008, and again on November 11, 2013,” Loeser said. “Much like Target, Michaels’ awareness of the vulnerability of its POS systems to cyber-attack and data breach should have prompted it to take measures to prevent, or at least detect such an attack and breach.”
Hagens Berman is also investigating a similar data breach at Neiman Marcus stores.
“There are at least two compelling common facts among Target, Neiman Marcus and now Michaels, Loeser said. “The first is that the method of attack and the tools used were not unknown. In addition to being warned as early as 2007 of the risk of this type of attack, the particular type of malware the attackers used was known to cyber-security experts as early as 2011, and a version very similar to the version in the Target data breach was known to experts as early as January 2013.”
“Second, none of these companies apparently had any clue that their network systems and security had been breached for quite some time after payment card data was flowing to the attackers,” Loeser continued. “Adequate monitoring of system traffic and data exfiltration is a rudimentary element of any reasonable network security protocol and early detection in these recent attacks could have prevented millions of consumers from having their financial and personal information stolen.”
On Jan. 27, CEO of Michaels, Chuck Rubin, stated in a letter posted to the company website that the retailer had learned of possible fraudulent activity on U.S. debit and credit cards that had been used at Michaels stores.
Hagens Berman seeks to discover whether Michaels took sufficient measures to safeguard sensitive customer data, and whether Michaels’ data policies and practices put consumers at heightened risk of identity theft.