GameStop’s online payment card processing system likely was hacked between mid-September 2016 and the first week of February 2017, according to KrebsOnSecurity, which was told by two financial industry sources that they received alerts to that effect from a credit card processor.
The gaming and collectibles retailer confirmed to KrebsOnSecurity that a hack likely had occurred, stating, “GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website.”
Among data potentially compromised were customer card numbers, expiration dates, names, addresses and card verification values (CVV2, usually a 3-digit security code printed on the backs of credit cards). E-commerce sites are not supposed to store the CVV2, according to KrebsOnSecurity, but the hack may have resulted in software being put in place to capture that number.
GameStop has been on a public rollercoaster ride during the last year. The company was one of the first beneficiaries of the Pokemon Go craze last summer, but after that fad faded, sales fell sharply, and GameStop is now closing about 150 of its stores — yet, the silver lining there is that the retailer is planning on opening more collectibles and technology-focused stores.
However, the likelihood that GameStop suffered a major hacking episode is another low point, and a big one. It follows a year in which we saw the evidence piling up that hacking of online sales sites in very much on the rise, and that many companies have been targeted as well by distributed denial-of-service attacks that disable their sites and cause outages.
The timing is pretty troubling because it appears that the hacking could have occurred during the months constituting the holiday shopping rush. There doesn't seem to be much more information now about how many cards might have been affected, how long the episode lasted and who might have done it. GameStop is getting some credit from some sources for moving quickly to investigate the possible breach, though the retailer clearly didn't say anything publicly about it until Krebs forced its hand.
While hacking episodes increase, a recent survey from Blumberg Capital also suggested the growing problem is not yet affecting online spending. Hearing that may discourage some retailers from acting promptly to better protect themselves and their customers. It's not clear what protections GameStop had in place for its site, but it's apparent they failed this time around.
How many hacking incidents will it take for consumers to care about what's going on, and cut back on their spending? We may eventually find out.