A 22-year-old West Michigan man is facing felony charges for allegedly selling log-in data for the Meijer customer rewards program, mPerks.
The Michigan Attorney General’s office says the data breach likely didn’t start with Meijer. Rather, the information may have come from data taken from another institution.
Officials say data sets containing stolen personal information, like passwords, are available online.
Authorities allege Nicholas Mui of Grand Haven found some of that data worked for getting into mPerks accounts, then sold that access.
The Attorney General’s office says over $400,000 worth of cash and cryptocurrencies, like Bitcoin, were seized as part of the investigation.
Nessel is using the case as a chance to call for stronger data protection laws. She said she’d like to see lawmakers require data breaches to be revealed to those affected sooner.
“I think it’s reasonable to say that if somebody has accessed that information, a bad actor, that you let the individual know as soon as possible. But that’s not the law in Michigan,” Nessel said.
Mui faces charges for conducting a criminal enterprise, using a computer to commit a crime, and seven counts of identity theft. The most serious of those could land him in prison for 20 years.
Though the charges relate to only a handful of cases, Nessel said hundreds of people were likely affected.
Nessel said it wouldn’t have helped to bring more charges for each specific case because they wouldn’t necessarily lead to more penalties.
“The thing is, is that for every complaint that we have, that’s somebody who has to come to court and testify and all the rest of it. We’re not going to have hundreds and hundreds of people come in,” Nessel said.
But her office isn’t ruling out more charges in this case.
An attorney for Mui did not respond to a request for comment.