Evan Schuman's StorefrontBacktalk

More than a year after the 1,100-store Michaels chain was breached after PIN pad tampering, the feds have their first convictions: two Los Angeles street gang members, who were apparently recruited just to collect money from debit-card victims’ bank accounts. But the crooks who actually executed the attack are still on the loose—and, apparently, still completely unknown.

But we now know more about the breach, which involved physically replacing PIN pads in 84 stores across the country to capture at least 94,000 card numbers. And with those new details, chains have more reason than ever to be worried.

On July 25, a federal judge in California sentenced Eduard Arakelyan and Arman Vardanyan to five years in prison for bank fraud and identity theft after they were caught in March using counterfeit payment cards to get money from ATMs, using account numbers and PINs acquired during the Michaels breach.

But according to court documents, the two men had nothing to do with the breach itself. They were recruited by an ethnic Los Angeles gang called Armenian Power just to collect cash from ATMs in the Las Vegas and San Francisco areas. They also weren’t the first to start using the stolen numbers—they started in May 2011, after Chicago-area banks first reported what was then thought to be a breach only at local Michaels stores.

And they were well equipped for the job. When they were caught, “defendants Arakelyan and Vardanyan possessed 952 blank gold and silver counterfeit access devices [cards] reencoded with at least 943 real persons’ financial institution account numbers. On each counterfeit card was a four-digit PIN handwritten in pen, corresponding to each person’s true PIN. Both the PINs and the account numbers had been previously stolen along with the account numbers,” according to the San Francisco U.S. Attorney’s office. They also had eight cell phones, a laptop, a GPS device loaded with ATM locations, two handguns and $56,599 in cash.

Understand, that was just for the cash collection part of the operation, which was apparently outsourced to the street gang. There’s no indication of how many other cash-collecting teams were involved or whether more than one gang participated.

That’s on top of the unusual sophistication of the breach. Court documents also confirm what Michaels wouldn’t say last year: At the 84 Michaels stores hit in the breach, thieves replaced at least one PIN pad per store with an apparently identical PIN pad that had been rigged to capture card numbers and PINs. The thieves could then collect that info using a Bluetooth device in the rigged PIN pad, so they could continue to collect numbers until the breach was discovered.

Even when banks (and it was the banks, not Visa’s or MasterCard’s antifraud systems) identified the breach after customer complaints, they assumed it was just a problem at Chicago-area Michaels stores. The thieves had sorted the cards by bank and initially only used Chicago-area account numbers and PINs. It wasn’t until the chain investigated thoroughly that it became clear the stores hit were spread across the U.S., from Georgia to Oregon.

In other words, this isn’t the type of breach chains would have expected even three years ago.