GameStop, North America’s largest video game retailer, is investigating reports of a recent breach that suggests hackers managed to compromise the store’s online database. The reports indicate that customer data and credit card information may have been acquired by hackers during the breach.
“GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website,” wrote a GameStop spokesperson in a statement to KrebsOnSecurity. “That day a leading security firm was engaged to investigate these claims. GameStop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified.”
According to the security news site, sources in the financial industry informed them of alerts from a credit card processor, which stated that GameStop.com was breached sometime between mid-September 2016 and February 2017.
The compromised data includes customer credit card information, including the card number, expiration, time, address, and the CVV2 code printed on cards for additional security. With this information, hackers can easily place fraudulent orders online, unless credit card owners take additional precautions with their bank.
KrebsOnSecurity states that online merchants like GameStop.com are not supposed to store CVV2 codes, but it is possible for hackers to steal the codes by restructuring the website with malicious code to capture the data before it is encrypted and processed.
In the meantime, GameStop is offering an apology to its customers, advising them to take precautions with their credit cards and monitor their bills for any fraudulent transactions.
We regret any concern this situation may cause for our customers. GameStop would like to remind its customers that it is always advisable to monitor payment card account statements for unauthorized charges. If you identify such a charge, report it immediately to the bank that issued the card, because payment card network rules generally state that cardholders are not responsible for unauthorized charges that are timely reported.
A similar intrusion occurred in 2011 when Sony’s online services were breached, forcing the company to disable the PlayStation Network. The breach incurred the Japanese gaming company $171 million in losses.