Arts and Craftiness: Data Breach at Michaels

Written by Sonali Shah
Vice President, Products and Marketing
I love shopping at Michaels. It allows people of all ages to express themselves. From paint by number kits, to beads and professional grade oils and varnishes, Michael’s sells products that allow us to, as Pablo Picasso said, “wash away from the soul the dust of everyday life.”

Unfortunately, something ugly has tarnished the canvases of the artists and crafters who used their debit or credit cards to shop at Michaels from May 8, 2013 to January 24, 2014. In late January 2014, Michaels announced that it was investigating a potential security breach involving customers’ credit card information. After weeks of analysis, Michaels finally confirmed yesterday that a targeted attack did indeed occur on some of their point of sales systems and that approximately 2.6 million cards may have been compromised.

At Bitsight, we have observed significant botnet activity on Michael’s network over the past year. In particular, we observed multiple instances of Conficker, a botnet that can completely compromise system confidentiality, integrity, and availability. Bitsight also observed multiple instances of Zeus, Defid, ZeroAccess and Neurevt infections. Neurevt is known to steal sensitive data from a compromised machine and to connect to remote servers to enable attacker access to the infected machine. ZeroAccess, also known as max++ and Sirefef, is used for Bitcoin mining, click fraud, and opening backdoors on compromised machines, which allows a remote attacker to gain control of the machine.

As discussed in our January 16th post, many retailers were infected by these malware strains. However, what is particularly disturbing about Michaels is the average length of time between when a security incident was first observed by Bitsight to when it was last observed. We call this metric “Event Duration” and use it as a proxy to measure how quickly a company identifies and remediates security incidents. The average event duration over the past year at Michaels is 172% longer than the average of companies in the S&P 500 (excluding telecommunications companies). While the average is 6.7 days, we observed a few Conficker infections that persisted for over 300 days.

michaels.png

There are at least two lessons to be learned here. First, evaluating a company’s security posture from the outside can be just as valuable as examining it from the inside. Whether or not the activity observed by Bitsight was indeed related to the breach, the fact is that we did observe increased malicious activity leading up to the breach period. Second, once malware has entered an organization, it can continue to cause harm long after the original incident has been removed. In the case of Michaels, as occurred at Target, the initial infection likely started off elsewhere, and then found its way to the point of sale system.

A company can never be done securing itself. It’s an ongoing process that requires constant monitoring and adaptation. Leonardo da Vinci once said, “Art is never finished, only abandoned.” In this case, security does not seem so different from art.