Popular trading card company Topps has been hit with an ‘unforgivable’ hack, according to BBC News sources.
The majority of data hacks come as a surprise, but not necessarily this one. According to one security researcher, the company had been warned about security weaknesses prior to the hack, and seem to have done very little to defend themselves from what appeared to be obvious security risks.
Personal information stolen
On 12 October 2016 the company sent out an email notifying customers that “one or more intruders gained unauthorised access to its website“.
The extent of the hack is unknown, but customer names, addresses, email addresses, phone numbers, credit or debit card numbers, card expiry dates, and verification numbers for customers may have been stolen when buyers bought merchandise from the website.
It’s thought that this affected those customers who made purchases from the website between approximately 30 July 2016 and 12 October 2016.
Email notification
Following the security breach, Topps sent a notice to customers who are, or may have, been impacted by the hack.
As with all companies, Topps starts out by expressing its “deepest apologies” and “regrets” that their breach has happened. The letter ensures their customers that an investigation was immediately launched after they were made aware of the intrusion.
According to the letter, they hired a security firm to examine their network. As well as examining the network, they allegedly worked with the firm to strengthen Topps’ security system.
Based on their initial investigation, Topps note that there’s no reason to believe that customers using PayPal have had their personal information hacked, but the company are being cautious to notify all (potentially) affected customers.
Free cyber-security post-hack
As a consolation prize, Topps are offering a year’s worth of security and identify theft protection to those affected by the hack, free of charge. Topps has contracted with CSID, under the Experian umbrella, who’s a leading provider of global identity protection and fraud detection technologies. They encourage affected customers to contact them immediately to activate their CSID coverage before 31 December 2017.
Long-term impact
Action taken post-hack doesn’t take away from the serious fact that sensitive information was gained via the Topps trading card hack.
Cyber-security expert Professor Alan Woodward comments that:
“The really unforgivable aspect here is the loss of credit card details.”
The leak of financial information can have both immediate and long-term impacts. Customers may not feel any effects imminently after the hack, however, the hackers could use or sell the information on, which puts the customers at grave danger of identity fraud.
Fraudulent activity as a result of hack
Some Topps’ customers have vented their frustration and stress on an online forum, in relation to the hack. Some customers even say that they’ve detected some fraudulent activity on their bank accounts. They note that fraudulent purchases were made using their credit card numbers after they used the same credit cards to purchase merchandise through the Topps website.
Second Topps data breach inside a year
This isn’t the first time that Topps has had a cyber-security wobble. In June 2016, MacKeeper security researcher, Chris Vickery, revealed that a database exposed Topps’ customers’ data through a mobile app. He attempted to notify the company several times via email. However, according to Mr Vickery, his emails ended up in the spam folder and were ignored because “an employee thought he was trying to sell something”.
The issue wasn’t resolved until www.databreaches.net contacted Topps HQ via telephone.