Some of you may remember the 2011 data breach at Michaels, a national chain of craft stores in which 94,000 debit and credit card numbers were stolen along with the PINs for the debit cards. Recently, Crystal Banuelos, the apparent mastermind of the scam, pleaded guilty to charges of conspiracy to commit bank fraud and aggravated identity theft. Sentencing is scheduled for February 23, 2016 in the Federal District Court for New Jersey. Unlike the notorious data breaches at Target and Home Depot, in this case, Banuelos and her co-conspirators physically went into 80 Michaels’ stores around the country posing as service technicians and swapped out legitimate card processing equipment for machines controlled by them that would capture the credit card and debit card information along with the PINs used with the debit cards and transmit that information electronically to Banuelos, who then used that information to create counterfeit debit cards which they used with the stolen PINs to steal $420,000 from their victims’ accounts through ATMs.
While PINs are encrypted in a fashion that makes it all but impossible for hackers of legitimate card processing equipment to capture PINs, the use of their own equipment enabled Banuelos and her cohorts to harvest PINs as well as credit and debit card information. However, the new EMV chip card processing devices will not be as easily manipulated to steal this information in the future. Again the lesson for consumers is that you are only as safe as the places with which you do business that have the weakest security so it is important to regularly check your bank account and credit card accounts for evidence of any fraudulent use and report that use as soon as possible. It is also important to refrain from using your debit card for retail purchases because if your information is compromised, your rights under consumer protection laws are not as strong as if your credit card information is compromised