GameStop Currently Investigating Possible Data Breach

Data Breach
GameStop Storefront image

Attribution: Mike Mozart

GameStop is the most recent potential victim of cyber data breach, and the company recently hired a leading security firm to conduct an investigation into allegations that the company’s website was hacked and that customer data and credit card information was stolen. According to reports, a third party found data available for sale on a black market website, which was believed to have been illegally obtained from Gamestop.com through hacking activity.

The popular video game store chain has thousands of retail stores nationwide, but also operates a successful online store. It is believed that Gamestop.com was hacked and that the data was stolen through the use of malware that garnered access to the company’s servers, but this is yet to be confirmed. The alleged GameStop data breach is thought to have occurred between September 2016 and early February 2017. The potential data that was stolen includes customers names, addresses, and credit card data, including credit card numbers, expiration dates, and card verification values (CVV2 codes, i.e., the three, or sometimes four, digit security code that is usually located on the back of a credit card).

CVV2 Codes are Not Supposed to be Stored by Online Retailers

An interesting likely clue concerning this data breach is that it is suspected that CVV2 credit card codes are believed to be stolen. CVV2 codes are not supposed to be stored by online retailers in accordance with the Payment Card Industry Data Security Standard (PCI DSS), which suggests that the hackers intercepted these codes, rather than plundered them from a GameStop server. PCI DSS only allow merchants to store account numbers, card holder name data, expiration date data, and service code information for the card. Merchants cannot store CVV2 codes, PIN data for the credit card or magnetic strip information.

At this time it is believed that the hackers may have used some sort of malware to capture the CVV2 credit card codes as the customer entered it into the website to pay for merchandise online. CVV2 codes are highly valuable credit card data.

GameStop has confirmed that a data breach may have occurred and has promised to immediately get to the bottom of the alleged data breach and is asking anyone who may have made an online purchase through their website to take precautions. Specifically, GameStop online customers should check their credit card statements for fraudulent activities.

Breach Notification Laws

Security breaches similar to the GameStop data breach happen to all kinds of businesses. Any business could become a victim of hacking, so it is important for companies to implement measures and policies designed to reduce that risk. In the event that your business is subject to a data breach, experienced data breach lawyers can ensure compliance with applicable breach notification requirements. 

 

Extra, Extra!
Recent Posts

Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

Internet Law

Almost half of the States in the U.S. have enacted some version of an online personal or consumer data privacy statute. The statutes all use a similar framework that requires data collectors and processors to provide notices, obtain consent, and comply with mandates and prohibitions. For example, all of the online data privacy statutes require […]

Read more about Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

Internet Law

The Ninth Circuit Court of Appeals — located in San Francisco — partially struck down California’s Age-Appropriate Design Code Act (“CAADCA”). See Cal. Civ. Code §§ 1798.99.28 et seq. The CAADCA was passed in 2022 by the California State Assembly. The CAADCA was enacted to protect the online privacy of children — persons under the […]

Read more about 9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

Put Revision Legal on your side