Who's next? Michaels stores hacked: Really, can't the rest of you fess up now?
Add Michaels craft store to the list of retailers who've been shamed into admitting that hackers have possibly stolen credit card information from their systems. Here's a pro tip: hiding this important information from consumers until a journalist finds out about it and tells everyone is bad for business. And it's just plain wrong. Pro tip No. 2: if you are among the remaining retailers who've leaked data, you'd be better off coming forward now, before some bank insider embarrasses you next. In fact, if you all come forward at once (and you know who you are), the PR hit will be considerably less.
As someone who has been in the business of confronting companies who've leaked data, and shaming them into going public, I know this tap dance Brian Krebs has been playing very well. It goes something like this.
Journalist: "Hi retailer. I have evidence that hackers have stolen your data. What is your comment?"
Firm: <silence>
Journalist: "OK, I'm going to publish a story at 3 p.m. that says you wouldn't comment."
Firm: "Wait! We'll have a comment for you at 2:59. But we can't comment on an ongoing investigation. But show us your proof and maybe we'll comment."
Journalist: "OK, here's a copy of the data stolen by the hacker."
Firm: "OK. Yes. What you already know happened, happened."
As a reminder, in most cases there is a legal requirement to disclose data breaches. Here's a helpful state-by-state reminder of those laws. More important, the drip-drip-drip of these stories is bad for everyone. It's bad for consumers. It's bad for banks. It's bad for the entire payment system. And in fact, it's bad for you, Mr. head of PR at a major retailer. It shouldn't take public shaming to get you to admit to being hacked. Heck, in this case, I think most folks have at least some sympathy for Target, as they were victimized by what to all accounts seems to be a very new kind of attack.
But keep waiting, and whatever good will you have will be squandered.
In case you are wondering how Brian and others are figuring out which retailers were hacked, it's pretty simple. When banks spot fraud on credit cards, they examine every other place where that hacked card was used in prior months. With even a small sample of cards, it becomes evident pretty quickly that all those hacked cards have one thing in common: they were all used at the same retailer at a similar time frame.
Thanks, Brian, for forcing all these retailers to fess up.
Here's a link to Michaels (sort of) mea culpa, published this weekend after the company was confronted by Krebs.
"We recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting we may have experienced a data security attack," it says. "We are working closely with federal law enforcement and are conducting an investigation with the help of third-party data security experts to establish the facts."