I received a letter from GameStop dated June 2 which begins as follows: “GameStop recently identified and addressed a security incident that may have involved payment card information for your payment card ending in [elided].”
Kotaku has more on the breach, which affected anyone who “placed or attempted to place orders on our website from August 10, 2016 to February 9, 2017.”
Hmm… Why does GameStop ring a bell for me? Why does that date range ring a bell?
Oh, yeah, because I attempted, unsuccessfully, several times, to buy something through their web site on October 9, and their response to my complaints about the problem was so entirely bogus that I resolved never to give them a cent of my money and to discourage others from doing so.
KrebsOnSecurity says the data stolen from GameStop was “thought to include customer card number, expiration date, name, address and card verification value (CVV2), usually a 3-digit security code printed on the backs of credit cards… Online merchants are not supposed to store CVV2 codes, but hackers can steal the codes by placing malicious software on a company’s e-commerce site, so that the data is copied and recorded by the intruders before it is encrypted and transmitted to be processed.”
I think I was unable to make purchases on the GameStop web site in October was because hackers broke the functionality of the site while deploying code to capture the credit-card data of purchasers. I think if GameStop hadn’t completely blown off and ignored my complaints about the problem, but rather had investigated my issue and attempted to determine the root cause of it when I reported it, they could have discovered the breach in October and prevented the hackers from spending four more months stealing people’s credit-card data.
This is why when a customer tells you that your web site isn’t working, you listen to them.
Incidentally, most merchants who suffer a breach like this offer to pay for a year of credit-report monitoring, such as e.g. IdentityGuard, for affected customers. All GameStop offered was some free advice: “We encourage that you remain vigilant to the possibility of fraud and identity theft by reviewing your financial statements and credit reports for any unauthorized activity.” I smell a class-action lawsuit — and, quite possibly, bankruptcy, given all the other troubles they’ve been having — in GameStop’s future.
I will be contacting my credit-card company to ask them to replace my card, which of course will require updating all automated payments and merchants where the old card number is saved. So in addition to wasting my time back in October by rejecting my valid purchases and then providing zero customer support about the issue, GameStop will end up wasting hours more of my time dealing with changing my credit card everywhere.
Way to go, GameStop. I hope this puts you out of business.