April 18, 2014

Michaels says breaches affect up to 3 million cards

April 21, 2014 – The revelation that up to 3 million payment cards may have been affected in breaches at Michaels and its subsidiary Aaron Brothers stores serves as a reminder that consumers remain vulnerable without federal data security standards for merchants, NAFCU President and CEO Dan Berger said Friday.

"In light of this and the numerous other large-scale data breaches occurring on the heels of major breaches at Target and Neiman Marcus over the holidays, it is clear that Congress must take action to protect consumers' financial information," Berger wrote in a letter to House and Senate leaders.

Last week, Michaels confirmed that the breach, which the company hinted at in January, was accomplished with malware and may have affected 2.6 million cards used at Michaels stores from May 8, 2013, through Jan. 27, 2014, and about 400,000 cards used at its Aaron Brothers stores from June 26, 2013, through Feb. 27, 2014.

Credit unions and other financial institutions are already subject to minimum data protection requirements under the Gramm-Leach-Bliley Act. NAFCU, the first national trade group to call for action in the wake of the Target breach, continues to press for action on merchant data protection standards and breach notification requirements.

Berger's letter went to Senate Majority Leader Harry Reid, D-Nev., and Minority Leader Mitch McConnell, R-Ky.; and House Speaker John Boehner, R-Ohio, and Minority Leader Nancy Pelosi, D-Calif.