Michaels Hit With Possible Class-Action Suit Over Data Breach

Three weeks after craft store Michaels fell victim to a data breach that compromised customers’ credit and debit card information, the chain has been hit with a lawsuit seeking class-action status for all those who directly affected by the hack.

The suit was filed late last week in the U.S. District Court in the Northern District of Illinois by a customer who says she used her Harris Bank debit card on or around March 15 to buy $18.16 in goods from a Michaels store. Plaintiff’s attorneys have asked the court to grant class-action status to the suit. This status would cover any U.S. resident who swiped their debit or credit card through a PIN pad to make a purchase at any Michaels store on or after Jan. 1, 2011.

The plaintiff says that on May 4, the day before the news of the data breach broke nationwide, she tried to get cash at the bank but could not because her card had been deactivated after the bank noticed suspicious activity, including two unauthorized transactions for $503 each.

While Michaels has claimed that as few as 100 customers’ cards were affected, other reports state that culprits tampered with 90 PIN pads in 20 states.

From the lawsuit:

Michaels’ lack of adequate security granted easy access to third parties who tampered with in-store PIN pads to ‘unwitting customers’ debit and credit card information and subsequently steal money directly from the victims’ bank accounts… In essence, Michaels’ security failure enabled cyber-pickpockets to steal customer financial data from within the retailer’s stores and subsequently loot the customers’ bank accounts from remote automated teller machines.

Michaels Stores hit with class-action suit [Chicago Breaking Business]