Rumor has it from a reliable source

that SOM had a major credit card hacking breach. Apparently they are legally required to notify us that our credit cards may have been compromised, but have done nothing.

If this turns out to be true, they need to be held accountable.

I had my card hacked last month and had to get a new one....this was right after purchasing credits...so this is possible.

I got no notification from Strat though....hmmmmm

If you bought anything recently using a credit card from Strat...you need to check with your credit card company. Well, actually if you ever bought anything from Strat you should check. I heard they were hacked and checked with my credit card company and there were fraudulent charges.

And yes it's hard to believe we havent all been notified so that we can protect ourselves

Just got a league message that SOM sent one of the victims a notice of being hacked two days ago.

I've received two emails from Strat, updating me on the situation. Unfortunately , I already had a fraudulent charge on my credit card on Monday. I was able to get it reversed and canceled that card.

Just received an email from SOM at 6:38 EST (7:38 on their warped boards time) admitting the breach, saying they have now joined a long list of businesses that have been hacked and that at least there was no identity theft. Guess we are supposed to be grateful for small favors.

Why the hell would only some people get notified would be my questions. I had to cancel my credit card about 4 weeks ago because of fraudulent charges.

Someone tried to buy a very expensive chess set and have it shipped to a guy named Bruce ...

Seriously though I did have to cancel my card. Fortunately, I haven't purchased any credits on the new card yet.

I had my card compromised about a month or so ago, could've been due to this. No emails to me from SOM. Figures

I had my card compromised about a month or so ago, could've been due to this. No emails to me from SOM. Figures

Same here.

It looks like if you are on the marketing email list, you got notified.

Code: Select all

February 8th, 2021

To our loyal customers-

We are writing to let you know that we just learned that several customers who used credit cards on our website during January and February 2021 were subsequently notified of fraudulent transactions on their credit cards.  Upon learning this information, we immediately began an investigation and took steps to ensure the security of our website. 

When we complete our investigation, we will be back in touch with additional information, but wanted to send you this notice in the meantime so that you can immediately contact your credit card company and ensure that you are not impacted as well.

In addition, we have taken the proactive step of disabling credit card functionality on our website. You can still place new orders and securely pay with your credit card through the link on our site to PayPal, even if you don’t have a PayPal account. 

We have also engaged a third party to investigate and we will update as we learn more.

Any pre-order previously placed will be sent upon commencement of shipping later this month.

Apologies for any inconvenience this has caused our amazing customers and community.   

Be well.  Play well.

Your Friends at Strat-O-Matic

A couple things on this, only because it's part of what I oversee in my work.

The scope of the communication really should have been driven by the contact info in the online order platform and not the marketing database, but it's a mom and pop shop so they probably don't know that.

When breaches happen, the standard incident response is to notify ALL of the online customers, regardless of when the transaction occurred. Then, it is common operating procedure to offer the at risk customers free identity fraud protection (like NortonLifeLock, Experian, IdentityGuard...) for 12-24 months, paid for by the company.

SOM is a very small company and probably don't have the experience to know what the best practices are unfortunately. Per their email, they are outsourcing the investigation, not unheard of in a company this size, and hopefully the cyber security company will advise to follow up with a more thorough communication and complimentary identity fraud protection.

I don't expect that SOM will pick up the cost for the monitoring though, hopefully I am wrong. If they don't, these services aren't very expensive for an individual and can be valuable if you have an active online consumer presence. You could consider signing up on your own. Some even have trials that you can sign up for, free of charge for 30-60 days.

It's important to keep in mind though, that the time frame of the risk extends well beyond immediate period after the breach occurred. Information is sold and traded in the identity theft community and can be used up until the expiration date of the credit card (the expiration date is part of the breach data).

I hope this was helpful to anyone that is concerned about the risk associated with the breach. I've gotten a lot from this community over the years and would be glad if this was a chance to contribute back to it.

Rob