GameStop is the most recent potential victim of cyber data breach, and the company recently hired a leading security firm to conduct an investigation into allegations that the company’s website was hacked and that customer data and credit card information was stolen. According to reports, a third party found data available for sale on a black market website, which was believed to have been illegally obtained from Gamestop.com through hacking activity.
The popular video game store chain has thousands of retail stores nationwide, but also operates a successful online store. It is believed that Gamestop.com was hacked and that the data was stolen through the use of malware that garnered access to the company’s servers, but this is yet to be confirmed. The alleged GameStop data breach is thought to have occurred between September 2016 and early February 2017. The potential data that was stolen includes customers names, addresses, and credit card data, including credit card numbers, expiration dates, and card verification values (CVV2 codes, i.e., the three, or sometimes four, digit security code that is usually located on the back of a credit card).
CVV2 Codes are Not Supposed to be Stored by Online Retailers
An interesting likely clue concerning this data breach is that it is suspected that CVV2 credit card codes are believed to be stolen. CVV2 codes are not supposed to be stored by online retailers in accordance with the Payment Card Industry Data Security Standard (PCI DSS), which suggests that the hackers intercepted these codes, rather than plundered them from a GameStop server. PCI DSS only allow merchants to store account numbers, card holder name data, expiration date data, and service code information for the card. Merchants cannot store CVV2 codes, PIN data for the credit card or magnetic strip information.
At this time it is believed that the hackers may have used some sort of malware to capture the CVV2 credit card codes as the customer entered it into the website to pay for merchandise online. CVV2 codes are highly valuable credit card data.
GameStop has confirmed that a data breach may have occurred and has promised to immediately get to the bottom of the alleged data breach and is asking anyone who may have made an online purchase through their website to take precautions. Specifically, GameStop online customers should check their credit card statements for fraudulent activities.
Breach Notification Laws
Security breaches similar to the GameStop data breach happen to all kinds of businesses. Any business could become a victim of hacking, so it is important for companies to implement measures and policies designed to reduce that risk. In the event that your business is subject to a data breach, experienced data breach lawyers can ensure compliance with applicable breach notification requirements.