GameStop Data Breach Investigation: What Happened

Attribution: Mike Mozart

GameStop is the most recent potential victim of cyber data breach, and the company recently hired a leading security firm to conduct an investigation into allegations that the company’s website was hacked and that customer data and credit card information was stolen. According to reports, a third party found data available for sale on a black market website, which was believed to have been illegally obtained from Gamestop.com through hacking activity.

The popular video game store chain has thousands of retail stores nationwide, but also operates a successful online store. It is believed that Gamestop.com was hacked and that the data was stolen through the use of malware that garnered access to the company’s servers, but this is yet to be confirmed. The alleged GameStop data breach is thought to have occurred between September 2016 and early February 2017. The potential data that was stolen includes customers names, addresses, and credit card data, including credit card numbers, expiration dates, and card verification values (CVV2 codes, i.e., the three, or sometimes four, digit security code that is usually located on the back of a credit card).

CVV2 Codes are Not Supposed to be Stored by Online Retailers

An interesting likely clue concerning this data breach is that it is suspected that CVV2 credit card codes are believed to be stolen. CVV2 codes are not supposed to be stored by online retailers in accordance with the Payment Card Industry Data Security Standard (PCI DSS), which suggests that the hackers intercepted these codes, rather than plundered them from a GameStop server. PCI DSS only allow merchants to store account numbers, card holder name data, expiration date data, and service code information for the card. Merchants cannot store CVV2 codes, PIN data for the credit card or magnetic strip information.

At this time it is believed that the hackers may have used some sort of malware to capture the CVV2 credit card codes as the customer entered it into the website to pay for merchandise online. CVV2 codes are highly valuable credit card data.

GameStop has confirmed that a data breach may have occurred and has promised to immediately get to the bottom of the alleged data breach and is asking anyone who may have made an online purchase through their website to take precautions. Specifically, GameStop online customers should check their credit card statements for fraudulent activities.

Breach Notification Laws

Security breaches similar to the GameStop data breach happen to all kinds of businesses. Any business could become a victim of hacking, so it is important for companies to implement measures and policies designed to reduce that risk. In the event that your business is subject to a data breach, experienced data breach lawyers can ensure compliance with applicable breach notification requirements. 

The GameStop Data Breach in Context: Legal Obligations and Lessons for Online Retailers

The GameStop data breach investigation highlights a set of legal and regulatory obligations that apply to any online retailer that collects payment card data—and the significant consequences that follow when those obligations are not met. Understanding the Payment Card Industry Data Security Standard (PCI DSS) and the legal framework surrounding payment card data is essential for any e-commerce business.

PCI DSS: Industry Self-Regulation With Legal Teeth

The Payment Card Industry Data Security Standard is a set of security requirements established by the PCI Security Standards Council—a body controlled by major card networks including Visa, Mastercard, American Express, Discover, and JCB. PCI DSS is not a statute, but non-compliance has real legal consequences through the card network contracts that every merchant accepts when they begin accepting credit card payments.

PCI DSS Requirement 3.2 expressly prohibits merchants from storing sensitive authentication data after authorization, including CVV2 codes, full magnetic stripe data, and PIN blocks. The alleged theft of CVV2 codes from GameStop suggested that these codes were either being stored (a direct PCI DSS violation) or intercepted in transit through malware that captured them before they could be discarded. Both scenarios reflect security failures with significant legal and financial consequences.

Merchants found to be non-compliant with PCI DSS at the time of a breach can face: (1) card network fines of $5,000–$100,000 per month; (2) costs of forensic investigations required by the card networks; (3) liability for card replacement costs; and (4) placement on the Terminated Merchant File, which effectively prevents the merchant from accepting credit cards in the future.

State Data Breach Notification Laws and Online Retailers

A data breach affecting GameStop customers’ credit card information would trigger notification obligations in virtually every state in the United States. As of 2017, all 50 states and the District of Columbia had enacted data breach notification laws, with varying timelines ranging from “most expedient time possible” (California) to 30 days (Florida) to 90 days (some states).

For an online retailer with a national customer base, a breach triggering notification obligations in all 50 states simultaneously creates an enormous compliance challenge. Notification must be tailored to each state’s requirements—the required content, method of delivery, and timing obligations differ significantly. Many companies maintain a state breach notification law matrix that allows them to run through compliance requirements rapidly when a breach is discovered.

The Federal Trade Commission also has jurisdiction over online retailers’ data security practices under Section 5 of the FTC Act, 15 U.S.C. § 45, which prohibits unfair or deceptive trade practices. A retailer that represents to consumers that their payment card information is secure while failing to implement basic security measures may face FTC enforcement action.

Malware-Based Payment Card Theft: How Attackers Capture CVV2 Codes

The suspected mechanism of the GameStop breach—malware that captured payment card data as customers entered it—is a variant of an attack technique known as “formjacking” or payment card skimming malware. Instead of stealing data from storage (which is harder because stored CVV2 codes are supposed to be deleted immediately), attackers inject malicious code into the checkout process that intercepts card data in memory before it is transmitted to the payment processor.

This type of attack is difficult to detect through standard security scanning because the malicious code often mimics legitimate website functionality. It requires sophisticated endpoint detection capabilities, regular integrity checking of website code, and robust monitoring of unusual data exfiltration patterns. Security frameworks like the OWASP Application Security Verification Standard (ASVS) provide technical guidance for protecting web applications against this class of attack.

Consumer Rights After a Payment Card Breach

Consumers whose payment card data was stolen in a breach have several legal protections. The Fair Credit Billing Act (FCBA), 15 U.S.C. § 1666 et seq., limits consumer liability for unauthorized credit card charges to $50, and card networks’ zero-liability policies typically eliminate even that exposure for debit and credit card fraud reported promptly. The Real ID Act and the Electronic Fund Transfer Act provide parallel protections for debit card fraud.

However, consumers may suffer consequential harms beyond fraudulent charges: time spent disputing charges, replacement card disruption, and damage to credit scores if fraudulent accounts are opened in their names. Class action litigation in payment card breach cases typically seeks to recover these consequential damages, though Article III standing barriers (demonstrating concrete injury) remain significant.

If your business has suffered a data breach involving payment card information, or if you want to assess your current PCI compliance posture, contact the data breach attorneys at Revision Legal. We help businesses navigate both the technical and legal dimensions of cybersecurity incidents. Reach out today.