Popular music recording firm Warner Music Group disclosed a security incident in which unknown threat actors compromised a number of its U.S.-based e-commerce websites and stole customers’ personal information. In a security alert, the company stated that attackers planted a skimming code into the websites’ checkout pages to exfiltrate payment information entered by the visitors.
Prolonged Skimming Attack
Attackers were able to access users’ data for a prolonged period of three months. The information exposed in the incident includes names, email addresses, contact details, billing addresses, shipping addresses, credit card numbers, card expiration dates, and CVV codes.
“Any personal information you entered into one or more of the affected websites between April 25, 2020 and August 5, 2020, after placing an item in your shopping cart was potentially acquired by the unauthorized third-party. While we cannot definitively confirm that your personal information was affected, it is possible that it might have been as your transactions occurred during the period of compromise. If it was, this might have exposed you to a risk of fraudulent transactions being carried out using your details,” Warner Music Group said.
While it is unclear what amount of personal information was affected in the incident, the company stated that the transactions that occurred during the period of compromise might be exposed to cyber risks.
Appeal to the Affected
Warner Music Group stated that it has taken down the affected e-commerce sites temporarily and urged customers to be vigilant for any unauthorized use of their payment card data or any suspicious emails.
“Upon discovering the incident, we immediately launched a thorough forensic investigation with the assistance of leading outside cybersecurity experts and promptly took steps to address and correct the issue. We also notified the relevant credit card providers as well as law enforcement, with whom we continue to cooperate,” the company added.