Police in Beaverton, Oregon are investigating 50 fraud reports related to the Michaels Crafts breach that reportedly compromised thousands of debit cards in 20 states. Police are asking for the public’s help in identifying four suspects caught on camera using “white cards” at Oregon bank machines, created from card details skimmed at Michaels stores. Police say that the suspects are from a larger organization which allows multiple crews to work numerous areas and move around quickly.
The law suits around this breach continue to fly in, and Michaels replaced all of its US Point Of Sale terminals by May 6 to contain the risk of continued compromise. The law suits focus on the time taken to notify customers of the breach, inadequate protections of data, and violations of various regulatory acts.
Forty-six states currently have mandatory reporting, but only three or four have public websites where the public can see the notices that have come into the state’s attorney general’s office. Texas, the state where Michaels is based, has breach notification statutes on the books. However, the law says that companies should notify the public “as quickly as possible”, and most other states do not specify a timeframe for “reasonable notification”. This case and others like it could set legal precedents about what is considered reasonable notification timelines until a national act is passed. I will continue to watch this issue with interest.