Should retailers be obligated to tell shoppers every time their credit and debit card have been hacked?
Continue Reading Below
Michaels Stores, the country’s biggest crafts chain is now saying card breaches took place over two separate eight-month-long stretches at its stores beginning as early as May of last year, including at its Aaron Brothers unit, and may have exposed as many as 2.6 million customer payment cards.
Retail analysts warn retail chains have a history of not telling customers about hacks because they initially think the breaches are small and not worth alarming customers. Just like banks that get hit daily by hackers and whose executives fear runs on deposits.
According to the respected security site KrebsonSecurity, run by expert Brian Krebs, this incident is the second time in three years Michaels Stores has had a widespread breach of its payment systems. The problem is while Michaels initially said the impact was small, and two independent security firms had investigated the break-ins and initially found nothing, it turns out the hacks were much more serious.
Krebs says in May 2011, Michaels disclosed hackers physically tampered with some point-of-sale devices at store registers in some Chicago locations, but the hack was bigger than that. It says further investigation revealed compromised POS devices in stores across the country, from Washington, D.C. to the West Coast.
But here’s the fallback crutch of a fix that Krebs says retailers are increasingly offering as a Band Aid to your credit accounts.
Michaels, which is moving toward an initial public offering, says while it received limited reports of fraud, it is offering identity protection, credit monitoring and fraud assistance services credit monitoring services.
But do you think the credit monitoring guys are going to protect you from fraud?
“They’re not great at stopping new account fraud committed in your name,” Krebs warns. “The most you can hope for with these services is that they alert you as quickly as possible after identity thieves have opened or attempted to open new accounts in your name.”