OK, updating the status on this. Another manager forwarded this to me, he just received it:
- Code: Select all
February 10th, 2021
To our loyal customers-
We are writing to let you know that on February 8th, we learned that several customers who used credit cards on our website during January and February 2021 were subsequently notified of fraudulent transactions on their credit cards. This happened despite the strict security protocols we maintain at Strat-O-Matic and on strat-o-matic.com Sadly, we join a long list of companies (large and small) who have had customer information stolen. However, it is important to note that identities were not stolen, as Strat-O-Matic has no social security or birthdate information for our customers. We also do not store credit card information (you must re-enter your credit card every time you purchase at Strat-O-Matic). Despite these precautions, our investigation to date has revealed that hackers were able to intercept credit card numbers inputted into our site for the period from January 5, 2021 through February 8, 2021.
Our investigation to date indicates this incident only impacts individuals who conducted credit card transactions on our website between January 5, 2021 and February 8, 2021. The investigation also indicates that this criminal activity has not impacted anyone who used PayPal to pay for purchases on our site, even if the purchase was made with a credit card via PayPal during the relevant time period.
If you used a credit card directly on our site without PayPal between January 5, 2021 and February 8, 2021, we would strongly recommend either canceling the credit card or informing your credit card issuer that your card could be used for fraudulent charges.
On February 8, 2021, we learned of this incident, and immediately took steps to stop any further abuse. First, we began an investigation to review our site and determine if we had been attacked. We also emailed those potentially affected by the incident, suggesting that they check with their credit card companies to ensure they are protected from any unauthorized use of their credit cards.
We are emailing our entire community today in order to be open with you about the incident and to avoid any miscommunication. To ensure that this sort of incident cannot recur, we have taken the proactive step of disabling credit card functionality on our website. You can still place new orders and securely pay with your credit card through the link on our site to PayPal, even if you don’t have a PayPal account. PayPal is one of the industry leaders in customer data, security and privacy.
Any pre-order previously placed will be sent upon commencement of shipping later this month without any sort of disruption due to this situation.
Our sincere apologies for any inconvenience this has caused our amazing customers and community.
Be well. Play well.
Your Friends at Strat-O-Matic
Based on this communication, what likely happened is that their e-commerce platform had a security vulnerability that was exploited. The hackers installed malware that sat on their network undetected, capturing and downloading all data passing through the site. The hackers then take that data and scan for personal information such as, names, addresses, credit cards #s, security codes, user IDs and passwords, and create a database of information from it. The hackers then immediately sell and use the credit card info, but they also match all of the data against a database of information that they have accumulated from other hacking activity (that they have done, purchased, traded for) and use it for identity theft.
SOM stated that SOM doesn't store the information on their platform (sounds correct) and that there isn't enough personal data from this specific incident for the hackers to steal someone's identity (also sounds correct), but there is still a risk for identity theft since the data is now exposed and distributed. The malware method used here captured data as it was transmitted, so even though it isn't "stored", it was still captured.
Here some links on what to do if your credit card is stolen, they all basically say the same thing:
Lifelock -
https://www.lifelock.com/learn-credit-finance-what-to-do-if-you-lose-a-credit-card.html CNBC -
https://www.cnbc.com/select/what-to-do-if-your-credit-card-is-stolen/ Experian -
https://www.experian.com/blogs/ask-experian/credit-education/preventing-fraud/credit-card-fraud-what-to-do-if-you-are-a-victim/Credit card fraud can be very costly depending on the policies of the credit company. Amex is great with fraud protection, other's not so much. So depending on the card you use on the web, your financial exposure will vary, it's good to know how each of your credit card companies handle fraud.
Hope this helps,
Rob