Retailer GameStop is investigating claims that credit card and customer data from its website is up for sale on the black market.
“GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website,” the company told KrebsOnSecurity.
“That day a leading security firm was engaged to investigate these claims. Gamestop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified.
“We regret any concern this situation may cause for our customers. GameStop would like to remind its customers that it is always advisable to monitor payment card account statements for unauthorized charges. If you identify such a charge, report it immediately to the bank that issued the card because payment card network rules generally state that cardholders are not responsible for unauthorized charges that are timely reported.”
The site says that its two sources suggested the breach occurred between September 2016 and February 2017, and that the compromised data included card numbers, expiration dates, names, addresses and card verification values (CVV2).
Interestingly retailers are not supposed to store CVV2 codes, but their theft can occur if malicious software is placed directly into a retailer’s website that tracks the data as it is entered.
GameStop did not confirm or deny any of the specifics.
The retailer last month reported year-on-year drops in both revenue and income.
Revenues for the quarter ending January 28th fell 13.6 per cent to $3.05bn, while net income dropped 18 per cent to $208.7bn. Adjusted earnings were down by three per cent. Comparable store sales declined by 16.3 per cent internationally and 20.8 per cent in the US.
The company said that weakening games sales due to the aging generation of consoles and a few triple-A flops were the main culprit, along with strong competition from retail rivals throughout the Black Friday period.