BankInfoSecurity reports on new information on the Michaels breach from 2011. Exactly why all stores should implement PCI-validated P2PE: any device tampering will automatically shut down the device. In this case, 88 legitimate POS devices at 80 different Michaels locations across 19 states were replaced with manipulated terminals that were used to capture and store card data and PINs.
More than four years after the point-of-sale attack that struck 80 Michaels craft stores throughout the U.S., compromising nearly 100,000 payment cards, details about how the attackers pulled off their scheme have finally emerged.
On Nov. 17, Crystal Banuelos of California, a lead defendant named in the 2011 Michaels debit breach, pleaded guilty to conspiracy to commit bank fraud and aggravated identity theft (see Michael’s Breach: What We’ve Learned).
Banuelos’ sentencing date has not yet been set. She faces a maximum sentence of 32 years in prison and a $1 million fine.
In her plea filed with a New Jersey District Court, Banuelos notes that she conspired to steal credit and debit card data, as well as PINs, from Michaels’ customers, and knowingly used counterfeit cards created from that stolen data to conduct fraudulent cash withdrawals at ATMs.
In all, authorities believe Banuelos and Angel Angulo, a co-defendant named in the indictment whose case is still pending, stole $420,000 from banks through fraudulent ATM withdrawals. Banks defrauded in the scheme, according to the indictment, include U.S. Bank, BMO Harris, Bank of America, JPMorgan Case, TD Bank, Beneficial Bancorp and Wells Fargo.
To perpetrate their crime, prosecutors allege Banuelos, Angulo and other unnamed conspirators swapped out 88 legitimate POS devices at 80 different Michaels locations across 19 states with manipulated terminals that were used to capture and store card data and PINs.
“Each counterfeit POS device was equipped with wireless technology, whereby conspirators wirelessly retrieved the stolen account information without having to retrieve the counterfeit POS devices,” the indictment claims. “In or about February 2011 and in or about April 2011, conspirators compromised approximately 94,000 debit and credit card account numbers from customers at a number of Michaels’ locations across the United States, including in the District of New Jersey.”