GAMESTOP: data breach compromised credit card info between September 2016 and February 2017
Intruders may have taken key payment info from online shoppers.
Did you shop at GameStop's online store for the holidays, or take advantage of its post-holiday clearance sales? You might want to check your credit card statement. GameStop has confirmed to security guru Brian Krebs that it's looking into a possible data breach that compromised credit card info between September 2016 and February 2017. Krebs' financial industry sources claim that the intruders not only took card numbers, expiration dates and cardholder addresses, but the three-digit security number that's ordinarily hard to get (as it's not usually stored online). This suggests the attackers planted malware on the site to harvest the info before it was transmitted -- this was clearly not a run-of-the-mill breach if so.
GameStop isn't providing much official detail at this point, but it understands that the payment data may have been "offered for sale on a website." The company adds that it hired a "leading security firm" to investigate on the same day it caught word of the intrusion.
There are still quite a few unknowns, provided the breach report is accurate. How many people are affected? How did the perpetrators get in and operate for months? The one consolation is that GameStop is acting relatively quickly -- there have certainly been incidents where companies took their sweet time discovering that something was amiss.
Did you shop at GameStop's online store for the holidays, or take advantage of its post-holiday clearance sales? You might want to check your credit card statement. GameStop has confirmed to security guru Brian Krebs that it's looking into a possible data breach that compromised credit card info between September 2016 and February 2017. Krebs' financial industry sources claim that the intruders not only took card numbers, expiration dates and cardholder addresses, but the three-digit security number that's ordinarily hard to get (as it's not usually stored online). This suggests the attackers planted malware on the site to harvest the info before it was transmitted -- this was clearly not a run-of-the-mill breach if so.
No comments