Credit card info stolen from Strat's site

My card was hacked, 3 purchase of over $300 each. my bank informed me and didn't charge my account. Had to get a new bank card. this may or may not have been due to strat, but it was just after purchasing credits. I've had to do this before so really not sure if it was strat or not, but the timing is conspicuous. I didn't get an email from Strat either.

I am one of the victims. Three purchases that weren't mine. Total was around $170.

1. Victoria's Secret (Yep!)

2. Cheesecake Factory (at least they have good taste in sweet stuff)

3. Overstock.com (I don't know)

Victorias Secret was me, Fred. My wife says thanks for the Valentine's present.

I am sorry you were victimized, man. I always use paypal on Strat. Were you using paypal, or just putting in cc info? Did you have cc info saved on Strat?

Thanks Fred. stay safe in the desert!

S

Reposting this from another thread for visibility:

It looks like if you are on the marketing email list, you got notified.

Code: Select all

February 8th, 2021

To our loyal customers-

We are writing to let you know that we just learned that several customers who used credit cards on our website during January and February 2021 were subsequently notified of fraudulent transactions on their credit cards.  Upon learning this information, we immediately began an investigation and took steps to ensure the security of our website. 

When we complete our investigation, we will be back in touch with additional information, but wanted to send you this notice in the meantime so that you can immediately contact your credit card company and ensure that you are not impacted as well.

In addition, we have taken the proactive step of disabling credit card functionality on our website. You can still place new orders and securely pay with your credit card through the link on our site to PayPal, even if you don’t have a PayPal account. 

We have also engaged a third party to investigate and we will update as we learn more.

Any pre-order previously placed will be sent upon commencement of shipping later this month.

Apologies for any inconvenience this has caused our amazing customers and community.   

Be well.  Play well.

Your Friends at Strat-O-Matic

A couple things on this, only because it's part of what I oversee in my work.

The scope of the communication really should have been driven by the contact info in the online order platform and not the marketing database, but it's a mom and pop shop so they probably don't know that.

When breaches happen, the standard incident response is to notify ALL of the online customers, regardless of when the transaction occurred. Then, it is common operating procedure to offer the at risk customers free identity fraud protection (like NortonLifeLock, Experian, IdentityGuard...) for 12-24 months, paid for by the company.

SOM is a very small company and probably don't have the experience to know what the best practices are unfortunately. Per their email, they are outsourcing the investigation, not unheard of in a company this size, and hopefully the cyber security company will advise to follow up with a more thorough communication and complimentary identity fraud protection.

I don't expect that SOM will pick up the cost for the monitoring though, hopefully I am wrong. If they don't, these services aren't very expensive for an individual and can be valuable if you have an active online consumer presence. You could consider signing up on your own. Some even have trials that you can sign up for, free of charge for 30-60 days.

It's important to keep in mind though, that the time frame of the risk extends well beyond immediate period after the breach occurred. Information is sold and traded in the identity theft community and can be used up until the expiration date of the credit card (the expiration date is part of the breach data).

I hope this was helpful to anyone that is concerned about the risk associated with the breach. I've gotten a lot from this community over the years and would be glad if this was a chance to contribute back to it.

Rob

A couple things on this, only because it's part of what I oversee in my work.

The scope of the communication really should have been driven by the contact info in the online order platform and not the marketing database, but it's a mom and pop shop so they probably don't know that.

When breaches happen, the standard incident response is to notify ALL of the online customers, regardless of when the transaction occurred. Then, it is common operating procedure to offer the at risk customers free identity fraud protection (like NortonLifeLock, Experian, IdentityGuard...) for 12-24 months, paid for by the company.

SOM is a very small company and probably don't have the experience to know what the best practices are unfortunately. Per their email, they are outsourcing the investigation, not unheard of in a company this size, and hopefully the cyber security company will advise to follow up with a more thorough communication and complimentary identity fraud protection.

I don't expect that SOM will pick up the cost for the monitoring though, hopefully I am wrong. If they don't, these services aren't very expensive for an individual and can be valuable if you have an active online consumer presence. You could consider signing up on your own. Some even have trials that you can sign up for, free of charge for 30-60 days.

It's important to keep in mind though, that the time frame of the risk extends well beyond immediate period after the breach occurred. Information is sold and traded in the identity theft community and can be used up until the expiration date of the credit card (the expiration date is part of the breach data).

I hope this was helpful to anyone that is concerned about the risk associated with the breach. I've gotten a lot from this community over the years and would be glad if this was a chance to contribute back to it.

Rob

thank you Rob for the info. much appreciated.

RickP
mlbphan

Thanks for the info Rob. I copied your post to the stickied "hack" threads in the ATG and "60's, 70's, 80's...." forums.

OK, updating the status on this. Another manager forwarded this to me, he just received it:

Code: Select all

February 10th, 2021

To our loyal customers-

We are writing to let you know that on February 8th, we learned that several customers who used credit cards on our website during January and February 2021 were subsequently notified of fraudulent transactions on their credit cards.  This happened despite the strict security protocols we maintain at Strat-O-Matic and on strat-o-matic.com   Sadly, we join a long list of companies (large and small) who have had customer information stolen.   However, it is important to note that identities were not stolen, as Strat-O-Matic has no social security or birthdate information for our customers.   We also do not store credit card information (you must re-enter your credit card every time you purchase at Strat-O-Matic).  Despite these precautions, our investigation to date has revealed that hackers were able to intercept credit card numbers inputted into our site for the period from January 5, 2021 through February 8, 2021. 

Our investigation to date indicates this incident only impacts individuals who conducted credit card transactions on our website between January 5, 2021 and February 8, 2021.  The investigation also indicates that this criminal activity has not impacted anyone who used PayPal to pay for purchases on our site, even if the purchase was made with a credit card via PayPal during the relevant time period.

If you used a credit card directly on our site without PayPal between January 5, 2021 and February 8, 2021, we would strongly recommend either canceling the credit card or informing your credit card issuer that your card could be used for fraudulent charges.

On February 8, 2021, we learned of this incident, and immediately took steps to stop any further abuse. First, we began an investigation to review our site and determine if we had been attacked. We also emailed those potentially affected by the incident, suggesting that they check with their credit card companies to ensure they are protected from any unauthorized use of their credit cards. 

We are emailing our entire community today in order to be open with you about the incident and to avoid any miscommunication.   To ensure that this sort of incident cannot recur, we have taken the proactive step of disabling credit card functionality on our website. You can still place new orders and securely pay with your credit card through the link on our site to PayPal, even if you don’t have a PayPal account.   PayPal is one of the industry leaders in customer data, security and privacy.   

Any pre-order previously placed will be sent upon commencement of shipping later this month without any sort of disruption due to this situation.

Our sincere apologies for any inconvenience this has caused our amazing customers and community.   

Be well.  Play well.

Your Friends at Strat-O-Matic

Based on this communication, what likely happened is that their e-commerce platform had a security vulnerability that was exploited. The hackers installed malware that sat on their network undetected, capturing and downloading all data passing through the site. The hackers then take that data and scan for personal information such as, names, addresses, credit cards #s, security codes, user IDs and passwords, and create a database of information from it. The hackers then immediately sell and use the credit card info, but they also match all of the data against a database of information that they have accumulated from other hacking activity (that they have done, purchased, traded for) and use it for identity theft.

SOM stated that SOM doesn't store the information on their platform (sounds correct) and that there isn't enough personal data from this specific incident for the hackers to steal someone's identity (also sounds correct), but there is still a risk for identity theft since the data is now exposed and distributed. The malware method used here captured data as it was transmitted, so even though it isn't "stored", it was still captured.

Here some links on what to do if your credit card is stolen, they all basically say the same thing:
Lifelock - https://www.lifelock.com/learn-credit-finance-what-to-do-if-you-lose-a-credit-card.html
CNBC - https://www.cnbc.com/select/what-to-do-if-your-credit-card-is-stolen/
Experian - https://www.experian.com/blogs/ask-experian/credit-education/preventing-fraud/credit-card-fraud-what-to-do-if-you-are-a-victim/

Credit card fraud can be very costly depending on the policies of the credit company. Amex is great with fraud protection, other's not so much. So depending on the card you use on the web, your financial exposure will vary, it's good to know how each of your credit card companies handle fraud.

Hope this helps,

Rob

Thanks for your posts, Rob. Happy to say I only use AmEx at Strat!

I am one of the victims. Three purchases that weren't mine. Total was around $170.

1. Victoria's Secret (Yep!)

2. Cheesecake Factory (at least they have good taste in sweet stuff)

3. Overstock.com (I don't know)

Victorias Secret was me, Fred. My wife says thanks for the Valentine's present.

I am sorry you were victimized, man. I always use paypal on Strat. Were you using paypal, or just putting in cc info? Did you have cc info saved on Strat?

Thanks Fred. stay safe in the desert!

S

I'm going to use paypal from now on. That is for certain. Wish I would have before.

I purchased ratings guide in January and the only thing that I like to think that stopped my account from being hacked is it has no money in it. Me and wife have three accounts, savings(cant touch it not even us unless we go to bank), two checking, 1 for money being held in with no card and other empty with a card. The empty one only has money on it when we transfer it to buy something then it is empty again. Please everyone look into doing this to save you trouble being hacked.