Gamestop hacked. Financial data of online shoppers were accessed by crooks

CERT-LatestNews Security News ThreatsCybercrime

Personal and financial information about Gamestop online shoppers could have been compromised in a breach occurred between Aug. 10, 2016 to Feb. 9, 2017

GameStop is the last victim of a data breach, customers received a security breach notification warnings this week. Personal and financial information could have been compromised in a breach occurred between Aug. 10, 2016 to Feb. 9, 2017, the company publicly acknowledged the breach in April.

The company sent postal letters to its customers, the company confirmed that an undisclosed number of online customers had their credit card or bankcard data stolen. Hackers accessed card numbers, expiration dates, names, addresses and also the three-digit card verification values (CVV2).

Customers are questioning the company about the delay of the breach notification, customers that were not promptly informed had their financial data exposed for months.

“GameStop recently identified and addressed a security incident that may have involved your payment card information. We are providing this notice to inform you of the incident and to call your attention to some steps you can take to protect yourself. At GameStop, we value our customers and understand the importance of protecting customer personal information. We sincerely apologize for any inconvenience or concern this incident may cause.” reads the letter sent to the customers.

“After receiving a report that data from payment cards used on may have been obtained by unauthorized individuals, we immediately began an investigation and hired a leading cybersecurity firm to assist us. Although the investigation did not identify evidence of unauthorized access to payment card data, we determined on April 18, 2017 that the potential for that to have occurred existed for certain transactions.”

GameStop data breach

In April, the popular investigator Brian Krebs reported that GameStop had received an alert from a credit card processor stating that the company website was hacked and financial data exposed.

“GameStop recently received notification from a third party that it believed payment card data from cards used on the website was being offered for sale on a website.” reads a statement published by GameStop.

The company operates 7,500 retail stores and it owns online game sites, and online retailer ThinkGeek. No retail customers were impacted by the breach, according to the company.

According to the company, retail customers were not impacted by the security breach, the PoS systems ar the company stores were not infected.

At the time I was writing there in no information about the extension of the breach or the hacking techniques used by attackers.

Pierluigi Paganini

(Security Affairs – GameStop, data breach)