The Michaels Stores, Fox Data Breaches: Coincidence or Cohesion?

What were the motives to the two recent public data breaches?

ByABC News
May 18, 2011, 12:21 PM

May 18, 2011— -- Well, two fascinating—and repellant—things happened in the last few days, which but for the broadest possible subject matter connection, would seem to be unrelated. On May 6, a group calling itself LulzSec hacked Fox Entertainment network computers and released personal information about people from the database of potential contestants for the popular Fox show "X Factor."

Five days later, the same group announced in quite caustic terms that it also had hacked Fox.com computers to gain access to the personal information, including email addresses, of 363 Fox employees. Within a nanosecond or two, the group also had defaced the profiles of 14 of those employees on LinkedIn, a popular business-oriented social networking site (which found and corrected the hackers' work quickly and efficiently). These announcements were made by the hackers, appropriately enough, on Twitter—one of the most trafficked social networking sites in the universe.

[Article: Bin Phishin'?]

Within those same few days, Michaels Stores—the popular arts and crafts retailer—announced it had discovered that in at least 80 of its stores nationwide, debit card swipe pads had been either swapped out or otherwise tampered with so as to allow debit card numbers and pins to be systematically stolen. Unlike other attacks of this type, such as the one directed at Stop & Shop in 2007 in which only a few stores located in the New England region were compromised, the Michaels Stores were located all over the country from New Mexico to Massachusetts. Very quickly it was also discovered that the compromised information had already been used to drain the bank accounts of scores of Michaels customers through the use of ATM machines.

The process is quite simple really -- the information from the bogus swipe pads is collected and transmitted to the thieves, who quickly create equally bogus ATM debit cards, consisting of very little but a piece of plastic with a magnetic strip. It works just like the real thing at an ATM, though. Michaels announced that within two weeks it would replace more than 7,200 swipe pads at all of its stores, and in the meantime would utilize a much slower yet more secure manual method of processing debit card transactions.

[Article: Playstation Invasion: Child Identity Theft is No Game]

Now what do these seemingly unrelated attacks have in common? First, both were cleverly executed. One assumes that Rupert Murdoch is quite sensitive when it comes to security—data security in particular. It couldn't have been a walk in the park for LulzSec to hack the Fox computers. Similarly, think of the scale of the Michaels attack; it must've taken a large number of folks, all of whom had to be reasonably technical, and all of whom were coordinated in a very precise and premeditated way across all those pads in all those stores in all those states. This crime was organized, even if it was not accomplished by organized crime.