Green Bay Packers online store breach exposes credit card data of thousands of fans
Thousands of American football fans have had their credit card details stolen after hackers successfully breached the online store of the Green Bay Packers football team.
Details of the hack first came to light when the football team started advising victims via letter that a “data security incident” had occurred on the website packersproshop.com that may have affected their personal information.
The letter disclosed that on Oct. 23, the football team was alerted to the presence of malicious code inserted on the site by a third-party actor. Upon learning of the breach, the team disabled all payment and checkout capabilities on the website, launched an investigation and hired cybersecurity experts to assist. The unnamed vendor that hosts and manages the shop was also required to remove the malicious code, refresh passwords and confirm that there were no remaining vulnerabilities.
The forensic investigation then found on Dec. 20 that the malicious code may have allowed an authorized third party to view or acquire certain customer information entered at the checkout of the site between Oct. 3 and Oct. 23. Information that may have been stolen included name, shipping and billing addresses, email address, credit card type, credit card number, credit card expiration date and credit card verification number.
Although the exact number of those affected was not disclosed in the letter, the team said in a filing with the Office of the Maine Attorney General that the number of persons affected was 8,514. Victims are being offered 36 months of complimentary credited monitoring and identity theft restoration services through Experian.
Though who was behind the attack or the methodology used to gain access has not been disclosed, Bleeping Computer reported today that Dutch e-commerce security company Sansec, which spotted the Packers store breach in early October, found that the card skimming attack used YouTube’s oEmbed feature and a JSONP callback to bypass the Content Security Policy.
What is clear is that somewhere along the line, the attacker has gained access to install card skimming code, raising questions around security, particularly in this case where all credit card details were accessed.
“To avoid similar schemes, websites using oEmbed should implement robust validation mechanisms to ensure any received data originates from a legitimate source and doesn’t contain malicious code,” Shobhit Gautam, staff solutions architect at cybersecurity and hacker program company HackerOne Inc., told SiliconANGLE via email. “It’s essential for eCommerce sites and other online sellers to carefully vet and implement third-party APIs and features to ensure proper software supply chain hygiene. That also includes requiring third-party vendors and plugins to proactively and continuously assess their security postures, which can be done through engagements like pentests and Vulnerability Disclosure Programs.”
Image: SiliconANGLE/Ideogram
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU