It looks like if you are on the marketing email list, you got notified.
- Code: Select all
February 8th, 2021
To our loyal customers-
We are writing to let you know that we just learned that several customers who used credit cards on our website during January and February 2021 were subsequently notified of fraudulent transactions on their credit cards. Upon learning this information, we immediately began an investigation and took steps to ensure the security of our website.
When we complete our investigation, we will be back in touch with additional information, but wanted to send you this notice in the meantime so that you can immediately contact your credit card company and ensure that you are not impacted as well.
In addition, we have taken the proactive step of disabling credit card functionality on our website. You can still place new orders and securely pay with your credit card through the link on our site to PayPal, even if you don’t have a PayPal account.
We have also engaged a third party to investigate and we will update as we learn more.
Any pre-order previously placed will be sent upon commencement of shipping later this month.
Apologies for any inconvenience this has caused our amazing customers and community.
Be well. Play well.
Your Friends at Strat-O-Matic
A couple things on this, only because it's part of what I oversee in my work.
The scope of the communication really should have been driven by the contact info in the online order platform and not the marketing database, but it's a mom and pop shop so they probably don't know that.
When breaches happen, the standard incident response is to notify ALL of the online customers, regardless of when the transaction occurred. Then, it is common operating procedure to offer the at risk customers free identity fraud protection (like NortonLifeLock, Experian, IdentityGuard...) for 12-24 months, paid for by the company.
SOM is a very small company and probably don't have the experience to know what the best practices are unfortunately. Per their email, they are outsourcing the investigation, not unheard of in a company this size, and hopefully the cyber security company will advise to follow up with a more thorough communication and complimentary identity fraud protection.
I don't expect that SOM will pick up the cost for the monitoring though, hopefully I am wrong. If they don't, these services aren't very expensive for an individual and can be valuable if you have an active online consumer presence. You could consider signing up on your own. Some even have trials that you can sign up for, free of charge for 30-60 days.
It's important to keep in mind though, that the time frame of the risk extends well beyond immediate period after the breach occurred. Information is sold and traded in the identity theft community and can be used up until the expiration date of the credit card (the expiration date is part of the breach data).
I hope this was helpful to anyone that is concerned about the risk associated with the breach. I've gotten a lot from this community over the years and would be glad if this was a chance to contribute back to it.
Rob