- Bargaineering - http://www.bargaineering.com/articles -

Michaels offers handy DIY solutions for customers exposed in possible data breach

Another week, another retailer announcing a possible data breach that could compromise customer data and expose them to the risk of financial fraud.

A few weeks ago, it was Target, then Neiman Marcus [3] (who, like Target, is offering free identity theft protection for a year). This time, the retailer in question is Michaels, which is hands down the best place on Earth to buy assorted sizes of Styrofoam balls and everything you need for scrapbooking your cat’s birthday party.

The company put out a press release on Saturday to let us know it may have suffered a data breach [4] attack and urging customers to take action.

“While we have not confirmed a compromise to our systems, we believe it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves, for example, by reviewing their payment card account statements for unauthorized charges,” said Michaels CEO Chuck Rubin in a press release [5].

The data breach hasn’t been confirmed yet and how many customers have been affected is still unknown; reached for comment, a Michaels spokesman said the details in the press release linked above are the most current information they have.

Personally, this is happening so often now that I’m kind of getting tired of reading company press releases, so I made a handy word cloud I can just look at whenever this happens:

This isn’t even the first major problem Michaels has had with data security. In 2011 fraudsters tampered with payment terminals at 80 Michaels stores nationwide and stole customer debit card information, which they then used to make lots of fraudulent purchases.

(Full disclosure: My wife is a regular Michaels customer, so between this and the Target data breach [6], we may as well just start mailing our debit and credit cards to Eastern European hackers and save them the trouble.)

DIY solutions inadequate

In his letter to customers, Rubin writes that if investigators confirm that customers were affected by the Michaels data breach, they’ll offer them identity protection and credit monitoring.

Until then, Michaels generously provides contact information for the FTC and a link to annualcreditreport.com [7], the site where Americans are legally entitled to receive a free copy of their credit report from the three major credit bureaus. We’re told to “remain vigilant by reviewing your credit reports”  and to “consider placing a fraud alert on your credit file.”

On the plus side, the company is doing the right thing by informing customers about their suspicions rather than sitting on the information and waiting for consumers to start complaining about identity theft, and most of the advice the company is offering is sound.

On the minus side, it’s infuriating to hear another hacked retailer putting the onus for preventing data breach-related financial fraud on customers. Doing so is analogous to me going to Michaels CEO Chuck Rubin’s house while he’s on vacation, unlocking his doors and windows and spray painting “rob me” on the garage in big letters, and then putting out a press release asking him to closely monitor his house to make sure nothing is stolen.

If companies need to process and/or store customer information in order to take debit payments and conduct their business, fine. But once they take possession of your information, regardless of how long they have their hands on it, they bear the responsibility for keeping it safe, and when they don’t live up to that responsibility, they should be the ones who bear the cost of cleaning up the mess.

What do you think? Have you been caught up in a data breach lately? Do you think asking customers to deal with the consequences is appropriate?

(Photo [8] by coolmikeol, used under CC BY [9]/cropped and altered)

(Word cloud made using Wordle)