Essays on Data Breach at Michael's Company Case Study

Download full paperFile format: .doc, available for editing

The paper 'Data Breach at Michael's Company' is a good example of a Management Case Study. Michaels Company is one of the largest arts and crafts chain stores in the world. The company reported a data breach at the end of January 2014. Through its press release, the company reported that around 2.6 million cards that were used in payments at the store had potential exposure between May 2013 and January 2014. Additionally, it reported that close to four hundred thousand cards had been affected at Aaron Brother stores between June 2013 and January 2014 (Walters, 2014).

It illustrated that both the credit and debit card numbers and their expiry dates had been severely exposed. Nevertheless, personal information for instance addresses, PINs, and names was safe. The company first acknowledged the possible data breach in January 2014, following the largest data breach recorded in history by Target Company which affected over 100 million customers (Walters, 2014). From the statement posted on the company’ s website on Thursday, the company disclosed that two security firms found evidence of possible data breach at Michaels and its subsidiary, framing company, Aaron Brothers.

The attack at Michaels mostly invaded the point-of-sale systems of the company. The company has 1135 stores and 119 stores of its subsidiary. The disclosure of this data breach was made public from a joint press release and a statement on the company’ s website. According to Irving, a Texas-based Michaels, two independent security firms that they hired to investigate security breach at the company initially found no threat. It took weeks of continuous analysis for the company to realize evidence confirming that their systems and at its subsidiary, Aaron Brothers had been hacked.

The hawkers used highly sophisticated malware that both the two security firms had not encountered before. These cybercriminals planted the malware on cash registers at the company’ s stores across the nation stealing approximately three million debit and credit card numbers of the customers (Cease, 2014). The details about the data breach as revealed by the company was a bit sparse since it was made as part of an ongoing investigation. An important note is that the announcement was made shortly after Brian Krebs, a technology writer, reported that the Company was investigating data breach (Arlitsch & Edelman, 2014).

The first reaction of the retailer was to send notification letters to its impacted customers. The letters directed that the company learned of fraudulent activities on the cards that had previously been used in the company. A crime for cash Financial fraud experts said Michaels Company’ s point-of-sale (POS) attack was waged on cash and not cards. Unlike other massive data breaches against the giant U. S., retailers for instance Target which aimed at stealing debit and credit card numbers and selling in Dark Web, Michaels's attack aimed at compromising the PINS and card numbers to be used in fraudulent ATM withdrawals (Arlitsch & Edelman, 2014).

The perpetrators had to attack the customer's PINs at the terminal since the encryption of the PIN was so strong that after it passed the terminal it was impossible to get the PIN. The Michaels POS swap sounds a low tech scheme but it forms one of the several similar attacks on hundreds of retail stores. This attack confirmed tactics that the company analysts had previously suggested but had not been able to definitely pinpoint.



Arlitsch, K. and Edelman, A., 2014. Staying safe: Cyber security for people and organizations. Journal of Library Administration, 54(1), pp.46-56.

Becker, M.J., 2014. The consumer data revolution: The reshaping of industry competition and a new perspective on privacy. Journal of Direct, Data and Digital Marketing Practice, 15(3), pp.213-218.

Cease, C.C., 2014. Giving Out Your Number: A Look at the Current State of Data Breach Litigation. Ala. L. Rev., 66, p.395.

Chen, C.C., Shaw, R.S. and Yang, S.C., 2006. Mitigating information security risks by increasing user security awareness: A case study of an information security awareness system. Information Technology, Learning, and Performance Journal, 24(1), p.1.

Choobineh, J., Dhillon, G., Grimaila, M.R. and Rees, J., 2007. Management of information security: Challenges and research directions. Communications of the Association for Information Systems, 20(1), p.57.

Contemporary Public Speaking, First Edition. Faculty of Business, Government & Law, University of Canberra

Hemphill, T.A. and Longstreet, P., 2016. Financial data breaches in the US retail economy: Restoring confidence in information technology security standards. Technology in Society, 44, pp.30-38.

Hoover, J.N., 2013. Compliance in the ether: cloud computing, data security and business regulation. J. Bus. & Tech. L., 8, p.255.

Kern, T., Willcocks, L.P. and Lacity, M.C., 2002. Application service provision: Risk assessment and mitigation. MIS Quarterly Executive, 1(2), pp.113-126.

Management Communication, First Edition. Faculty of Business, Government & Law, University of Canberra

Modi, S.B., Wiles, M.A. and Mishra, S., 2015. Shareholder value implications of service failures in triads: The case of customer information security breaches. Journal of Operations Management, 35, pp.21-39.

Pearson, S., 2009, May. Taking account of privacy when designing cloud computing services. In Proceedings of the 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing (pp. 44-52). IEEE Computer Society.

Rhee, H.S., Kim, C. and Ryu, Y.U., 2009. Self-efficacy in information security: Its influence on end users' information security practice behavior. Computers & Security, 28(8), pp.816-826.

Shields, K., 2015. Cybersecurity: Recognizing the Risk and Protecting against Attacks. NC Banking Inst., 19, p.345.

Sonnenreich, W., Albanese, J. and Stout, B., 2006. Return on security investment (ROSI)-a practical quantitative model. Journal of Research and practice in Information Technology, 38(1), pp.45-56.

Stoneburner, G., Goguen, A.Y. and Feringa, A., 2002. Sp 800-30. risk management guide for information technology systems.

Subashini, S. and Kavitha, V., 2011. A survey on security issues in service delivery models of cloud computing. Journal of network and computer applications, 34(1), pp.1-11.

Sweeney, L., 2002. K-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(05), pp.557-570.

Walters, R., 2014. Cyber-attacks on us companies in 2014. Heritage Foundation Issue Brief, (4289).

Zissis, D. and Lekkas, D., 2012. Addressing cloud computing security issues. Future Generation computer systems, 28(3), pp.583-592.

Download full paperFile format: .doc, available for editing
Contact Us