Federal lawsuit blames Michaels for PIN thefts

A West Chicago woman has filed a federal lawsuit against Michaels, claiming the arts-and-crafts giant failed to protect customers from “cyber-pickpockets” who stole sensitive banking information from checkout keypads at stores in 20 states.

The suit filed this week in Illinois’ northern district seeks class-action status and more than $5 million in damages for Brandi Ramundo and others whose credit and debit accounts were compromised. It comes in the wake of revelations by Michaels earlier this month that checkout PIN pads were tampered with at 80 of its stores across the country.

Ramundo says she spent $19.35 at Michaels in Bloomingdale on April 18 and within three weeks had more than $1,300 fraudulently withdrawn from her debit account at ATMs in Los Angeles and Woodland Hills, Cal.

The complaint claims Michaels “knowingly violated federal and state law” by failing to take reasonable steps to safeguard customers’ personal information. The retailer also is accused of failing to alert customers as soon as the security breach was discovered.

“In essence, Michaels’ security failure enabled cyber-pickpockets to steal customer financial data from within the retailer’s stores and subsequently loot the customers’ bank accounts from remote automated teller machines,” the suit alleges.

Ramundo could not be reached for comment Thursday, and the Chicago law firm representing her did not return several messages. In a statement, Michaels’ Senior Vice President and General Counsel Mike Veitenheimer defended the company’s response as “quick and aggressive.” He declined to discuss specific allegations in the pending suit.

“We continue to work with banks and law enforcement to aid in the investigation,” he said.

Reports of fraudulent activity involving the craft stores began to surface in Cook, DuPage and Lake counties in early May, with at least eight police departments taking complaints from customers. Last week, the company conceded the problem reached well beyond the Chicago area, affecting 80 of its 964 stores in the U.S.

According to the lawsuit, the thieves may have used “false card readers” combined with wireless cameras or electronic membranes placed over keypads to record victims’ card information and PINs, otherwise known as “skimming.” The lawsuit says the thieves then created bogus cards to use for withdrawing money at ATMs, or sold the information online.

Ramundo’s complaint contends Michaels violated consumer protection statutes by waiting nearly three months to alert customers in a May 5 email, which urged them to contact their banks and credit card companies to find out about any unauthorized charges. The suit says customers’ accounts were exposed between Feb. 8 and May 6.

“Based on the email alert, Michaels apparently expects its victimized customers to bear the fallout from its security breach, thereby thrusting upon the consumers a continuous burden of monitoring their bank accounts and credit histories,” the suit says.

Michaels said earlier this month that it was replacing 7,200 PIN pads, although less than 90 had been tampered with. The company also published a list of affected locations.

“Michaels is working closely with payment card brands and issuers to identify the accounts that may have been compromised, so issuers can employ enhanced fraud security measures immediately on potentially impacted accounts,” the retailer said in an earlier statement.