All security breaches should be taken seriously--both by companies and law enforcement authorities. In many of the recent corporate breaches, information such as customer names and email addresses were stolen. When actual credit card or debit card numbers are stolen, the urgency should really kick up to a whole new level.

Consider the case of crafts store chain Michaels. It didn't get the gargantuan press coverage that followed the breaches at RSA, Sony, Citigroup and other companies. But the skimmer made off with actual debit card numbers. The scam unfolded from February through early May, as about 80 Michaels stores across the country were hit by skimmers who tampered with PIN pads to capture and use credit and debit card numbers.

Now we're seeing the consequences. Law enforcement authorities have cited upwards of 200 reports of debit card holders in Oregon who have had money stolen from accounts. Scammer also hit accounts in the Colorado Springs area. Customers of at least five credit unions in Ohio have also seen their accounts compromised. We will likely hear more reports of Michaels-related card frauds.

Unsurprisingly, end customers are not pleased with Michaels for allowing this to happen. Two lawsuits seeking class action status have already been filed. This will likely get very expensive for the small chain. According to the Chicago Tribune, one suit noted almost three months after the skimming began, Michaels sent a "belated" alert to some customers signed by Chief Executive John Menzer. The alert began, "Michaels has just learned that it may have been a victim of PIN pad tampering in the Chicago area and that customer credit and debit-card information may have been compromised." Three months?  

For more:
- here's the article

Related article:
Card breaches lead to criticism of PCI standard