The Michaels & Fox Data Breaches: Coincidence or Cohesion?

MagnifyingGLass_Jonny_Hughes_CCFlickr Well, two fascinating—and repellant—things happened in the last few days, which but for the broadest possible subject matter connection, would seem to be unrelated. On May 6, a group calling itself LulzSec hacked Fox Entertainment network computers and released personal information about people from the database of potential contestants for the popular Fox show “X Factor.” Five days later, the same group announced in quite caustic terms that it also had hacked Fox.com computers to gain access to the personal information, including email addresses, of 363 Fox employees. Within a nanosecond or two, the group also had defaced the profiles of 14 of those employees on LinkedIn, a popular business-oriented social networking site (which found and corrected the hackers’ work quickly and efficiently). These announcements were made by the hackers, appropriately enough, on Twitter—one of the most trafficked social networking sites in the universe.

[Article: Bin Phishin’?]

Within those same few days, Michaels Stores—the popular arts and crafts retailers—announced it had discovered that in at least 80 of its stores nationwide, debit card swipe pads had been either swapped out or otherwise tampered with so as to allow debit card numbers and pins to be systematically and routinely stolen. Unlike other attacks of this type, such as the one directed at Stop & Shop in 2007 in which only a few stores located in the New England region were compromised, the Michaels Stores were geographically located all over the country from New Mexico to Massachusetts. Very quickly it was also discovered that the compromised information had already been used to drain the bank accounts of scores of Michaels customers through the use of ATM machines. The process is quite simple really; the information from the bogus swipe pads is collected and transmitted to the thieves, who quickly create equally bogus ATM debit cards, consisting of very little but a piece of plastic with a magnetic strip. It works just like the real thing at an ATM, though. Michaels announced that within two weeks it would replace more than 7,200 swipe pads at all of its stores, and in the meantime would utilize a much slower yet more secure manual method of processing debit card transactions.

[Article: Playstation Invasion: Child Identity Theft is No Game]

Now what do these seemingly unrelated attacks have in common? First, both were cleverly executed. One assumes that Rupert Murdoch is quite sensitive when it comes to security—data security in particular. It couldn’t have been a walk in the park for LulzSec to hack the Fox computers. Similarly, think of the scale of the Michaels attack; it must’ve taken a large number of folks, all of whom had to be reasonably technical, and all of whom were coordinated in a very precise and premeditated way across all those pads in all those stores in all those states. This crime was organized, even if it was not accomplished by organized crime.
On the other hand, think of the profound differences between these two events. There is no indication that LulzSec was attempting to do anything other than send a pointed and disruptive message. There isn’t a hint of a profit motive, and given the nature of their target, one might naturally assume that these folks are a technologically talented band of fellow travelers out to have a little fun at the expense of the Right. In fact, there is no indication of any criminal motive, aside from the fact that what they did was in itself a crime. But the Michaels battalion of attackers could only be it for the money—and to do what they did they must have invested quite a bit up front. Moreover, the methods of the madness were so different from one another.