IRVING, Texas–New insights have been revealed into how cyber-attackers hacked into 80 Michaels craft stores four years ago and what they did with information from the nearly 100,000 payments cards that were compromised.
Unlike other cyberfraud attacks, the conspirators allegedly were seeking to get cash rather than sell stolen debit and credit card numbers on the so-called dark web.
According to the indictment in New Jersey District Court in the case of Crystal Banuelos, who has pleaded guilty to committing bank fraud and aggravated identity theft as the lead defendant in the Michaels case, Banuelos and co-defendant Angel Angulo were able to steal $420,000 from banks via fraudulent ATM withdrawals. The banks involved included Bank of America, TD Bank, U.S. Bank, BMO Harris, JPMorgan Case, Wells Fargo and Beneficial Bancorp.
In the indictment, authorities allege that Banuelos, Angulo and other unnamed conspirators replaced 88 legitimate POS devices with manipulated terminals at 80 different Michaels locations in 19 states that were then used to capture and store card data and PINs.
The fake terminals used wireless technology, allowing the alleged conspirators to retrieve the stolen account information without having to actually retrieve the physical counterfeit POS device, the indictment states.
From February through April of 2011 the duo were able to compromise approximately 94,000 debit and credit card account numbers, the indictment said.
At the time of their arrest, authorities say Banuelos and Angulo had 179 counterfeit cards in their possession and were attempting to defraud an additional $129,000 from ATMs owned by the banks.
The key for the alleged criminals: getting the PINs on those cards. PINS are typically not obtained in data breaches such as that at Home Depot.
The one mystery that remains is how the criminals were able to replace the physical terminals.