Credit unions in 20 states will want to pay particular attention to their fraud alerts and protectionsafter the Michaels retail chain announced they had experienced anongoing card data breach.

The states where the breach occurred included Colorado,Delaware, Georgia, Iowa, Illinois, Massachusetts, Maryland, NorthCarolina, New Hampshire, New Jersey, New Mexico, Nevada, New York,Ohio, Oregon, Pennsylvania, Rhode Island, Utah, Virginia andWashington.

The retailer, which specializes in arts and crafts, has remainedvery quiet about the breach, citing the ongoing investigation, buthas reported that it is somewhat unusual in that it appears theretailer's PIN pad terminals at points of sale were tampered withand compromised.

Other breaches have involved hacking into computer networks orservers. Tampering with PIN pads or skimming at ATMs generallyhappen in cases of one or two pads or ATMs in a given location.

The retailer first went public in the Chicago area with newsabout the breach on May 4 after law enforcement authoritiescontacted the firm with suspicions about a card data breach.Subsequent investigation found the PIN pad tampering in the Chicagostores and then discovered that the tampering had spread far andwide.

“Michaels has identified less than 90 individual PIN pads (orapproximately 1% of the total devices) in its 964 US stores thatshowed signs of tampering,” the Irving, Texas-based company said inits most recent statement. “Suspicious PIN pads were disabled andquarantined immediately. Out of an abundance of caution, Michaelshas removed approximately 7,200 PIN pads comparable to theidentified tampered PIN pads from its U.S. stores.”

The company announced that it has begun replacing these PIN padsin all U.S. stores and expects the replacement to be completedwithin the next 15 days. “Until the new upgraded PIN pads areinstalled, customers may have their credit and signature debittransactions processed on the store register. As an additionalprecaution, Michaels is screening all PIN pads in Canadian stores,”the retailer added.

The company has not yet said if it was compliant with theindustry's PCI data security standards at the time of the breach.According to card executives, no retailer has been breached whilebeing compliant with the standards.

A spokesman for PSCU Financial Services said the processing CUSOhad seen fraud cases linked to the breach but that, so far, thefraud they had seen had been restricted to five or six CUs in theChicago area.

But an executive with the CUSO stressed that authorities therewere still waiting for more information to come in. “We won't seecard numbers from the other cases [the retailer has revealed] untillater this week, so I am not drawing any conclusions based on the[small number of fraud reports so far],” said Steve Ruwe, a formerexecutive with Visa and now PSCU's chief risk officer.

Card security experts are scratching their heads over theMichaels breach, in part because it took place across multiplestates and multiple venues. That suggests that someone could havegone from store to store to tamper with the PIN pads, a processwhich seems very risky, time consuming and a lot of work. Or thethieves managed to hack into Michaels PIN pads in the Chicago area,insert some malware to allow the thefts and then figured out how tomove the malware from pad to pad across the company. But if thatwas the case, why didn't they infect all the stores' PIN pads?

But sources familiar with the investigation say thatinvestigators are focusing on what they call a point-of-sale swapfraud, in which fraudsters will actually swap out compromised pointof sale pads for good ones and then return in two or three days topick them up, now filled with consumer data. Once they have carddata and PIN, the fraudsters will drive to another community anduse the data at ATMs or POS terminals in that location.

Ruwe also noted that the Michaels case was unusual in that theretailer stepped forward fairly quickly after it had determinedthere was a problem. “You don't often see that,” Ruwe said.