GameStop is investigating the possibility hackers may have stolen credit card and customer information from its website, the retail giant acknowledged yesterday to Brian Krebs, a journalist specializing in computer security.
The Grapevine, Texas-based company acknowledged that it had been alerted to a claim of payment card data, stolen from GameStop.com, being offered for sale on a black market website.
"That day a leading security firm was engaged to investigate these claims,” GameStop told Krebs. “GameStop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified."
Krebs, citing two unnamed sources in the financial industry, said the attacks likely occurred between mid-September 2016 and the first week of February 2017, based on alerts from a credit card processor.
Significantly, Krebs' sources said that card verification value numbers — CVV2 numbers, the three-digit verification code on the back of a physical credit card — were among the data siphoned from GameStop.com. Other information compromised in the breach includes credit card numbers, expiration dates, names and addresses of the card holders.
Krebs noted that CVV2 data is not supposed to be stored by online retailers. If it was stolen from GameStop.com, it's possible that the attackers placed malware on the site to copy the data as it was entered, before it could be encrypted and transmitted.
"There is a reason companies aren't allowed to store this CVV2 data in their own databases, so the fact that the hackers were able to intercept these security codes elevates the severity of the incident significantly," Vishal Gupta, the CEO of security firm Seclore, told Polygon in a statement. "If Brian Krebs' report is correct, the GameStop breach has the potential to be a huge payday for hackers."
GameStop would not confirm the suspected timeframe of the breach or Krebs' report of what types of customer information thought to be compromised.
"“We regret any concern this situation may cause for our customers,” GameStop said in a statement, advising customers to monitor their accounts and statements for unauthorized charges, and report them to their banks immediately.