Rumor has it from a reliable source

Honestly, lawsuits in the making, dumbly handled by SOM.

Maybe their settlement in the inevitable lawsuits to come will be – "free credits to everyone!" But, I don't think that will suffice.

OK, updating the status on this. Another manager forwarded this to me, he just received it:

Code: Select all

February 10th, 2021

To our loyal customers-

We are writing to let you know that on February 8th, we learned that several customers who used credit cards on our website during January and February 2021 were subsequently notified of fraudulent transactions on their credit cards.  This happened despite the strict security protocols we maintain at Strat-O-Matic and on strat-o-matic.com   Sadly, we join a long list of companies (large and small) who have had customer information stolen.   However, it is important to note that identities were not stolen, as Strat-O-Matic has no social security or birthdate information for our customers.   We also do not store credit card information (you must re-enter your credit card every time you purchase at Strat-O-Matic).  Despite these precautions, our investigation to date has revealed that hackers were able to intercept credit card numbers inputted into our site for the period from January 5, 2021 through February 8, 2021. 

Our investigation to date indicates this incident only impacts individuals who conducted credit card transactions on our website between January 5, 2021 and February 8, 2021.  The investigation also indicates that this criminal activity has not impacted anyone who used PayPal to pay for purchases on our site, even if the purchase was made with a credit card via PayPal during the relevant time period.

If you used a credit card directly on our site without PayPal between January 5, 2021 and February 8, 2021, we would strongly recommend either canceling the credit card or informing your credit card issuer that your card could be used for fraudulent charges.

On February 8, 2021, we learned of this incident, and immediately took steps to stop any further abuse. First, we began an investigation to review our site and determine if we had been attacked. We also emailed those potentially affected by the incident, suggesting that they check with their credit card companies to ensure they are protected from any unauthorized use of their credit cards. 

We are emailing our entire community today in order to be open with you about the incident and to avoid any miscommunication.   To ensure that this sort of incident cannot recur, we have taken the proactive step of disabling credit card functionality on our website. You can still place new orders and securely pay with your credit card through the link on our site to PayPal, even if you don’t have a PayPal account.   PayPal is one of the industry leaders in customer data, security and privacy.   

Any pre-order previously placed will be sent upon commencement of shipping later this month without any sort of disruption due to this situation.

Our sincere apologies for any inconvenience this has caused our amazing customers and community.   

Be well.  Play well.

Your Friends at Strat-O-Matic

Based on this communication, what likely happened is that their e-commerce platform had a security vulnerability that was exploited. The hackers installed malware that sat on their network undetected, capturing and downloading all data passing through the site. The hackers then take that data and scan for personal information such as, names, addresses, credit cards #s, security codes, user IDs and passwords, and create a database of information from it. The hackers then immediately sell and use the credit card info, but they also match all of the data against a database of information that they have accumulated from other hacking activity (that they have done, purchased, traded for) and use it for identity theft.

SOM stated that SOM doesn't store the information on their platform (sounds correct) and that there isn't enough personal data from this specific incident for the hackers to steal someone's identity (also sounds correct), but there is still a risk for identity theft since the data is now exposed and distributed. The malware method used here captured data as it was transmitted, so even though it isn't "stored", it was still captured.

Here some links on what to do if your credit card is stolen, they all basically say the same thing:
Lifelock - https://www.lifelock.com/learn-credit-finance-what-to-do-if-you-lose-a-credit-card.html
CNBC - https://www.cnbc.com/select/what-to-do-if-your-credit-card-is-stolen/
Experian - https://www.experian.com/blogs/ask-experian/credit-education/preventing-fraud/credit-card-fraud-what-to-do-if-you-are-a-victim/

Credit card fraud can be very costly depending on the policies of the credit company. Amex is great with fraud protection, other's not so much. So depending on the card you use on the web, your financial exposure will vary, it's good to know how each of your credit card companies handle fraud.

Hope this helps,

Rob

The information they are providing is wrong. I had a transaction on Dec. 27 and then had my card hacked in mid-January. The breach goes back before the beginning of the year.

No notification from the company. The thieves also lifted my email and sold it to every distribution list know to man. My email began to get flooded the same day my card was hacked. I’ve been scratching my head about this for a month. Now it all makes sense.

We are emailing our entire community today in order to be open with you about the incident and to avoid any miscommunication.


apparently I'm not part of the "entire community" despite having played over 280 teams over 20+ years.

my card was hacked, I've gotten no such email from Strat.

Yup my last transaction was Dec 18 and I still got jacked. Also haven't received any communication from Strat whatsoever.

Sol if you use PayPal are you safe?

If you are in doubt, and especially if you have seen fraudulent charges you need to contact one of the credit reporting bureaus and file a fraud report. They will notify the other two. Place a freeze on new credit. There is more to this than just whether you can get the fraudulent charges removed from your credit card. These could end up on your credit report and then your credit score goes down. When it does ...

You may pay higher interest rates on current cards and future cards.

Your car and home insurance could go up. Yes, many insurance companies use your credit score in their rate calculations. Ask yours if they do or not.

If this ends up with anything from this showing up on your credit report you will need to dispute those which may involve filing a police report.

Take this seriously. I had something similar happen a few years back and took me 18 months to get it straight. If you have something removed from your credit report continue to monitor. Creditors can place anything removed right back on and you will have to file fresh removal requests. For me this was an ongoing battle I thought would never end. My score dropped during this time over 100 points. It is now restored but I spent a lot of time and money getting my records clean.

I cut them no slack for being a small company. The reality of data breaches is something everyone is aware of these days and any company that has been around as long as Strat should have a lawyer on retainer.

As to why they have not published that is an easy one. Full disclosure would result in loss of sales. I think in addition they are not legally required to notify customers until investigation is complete and at that point they have to notify those confirmed leaked. Most companies delay public announcement until that legal threshold is crossed.

I put a fraud alert on my credit. Suggest affected consider doing the same.

My card was also hacked. I also put a fraud alert on my credit card. Was not sure where all the spam emails were coming from but now I know. This is a huge time consuming problem because I now must contact many many companies using my current email address and give them a new one. Doubt I will feel comfortable purchasing anything else from SOM regardless of what they say.