Warner Music Group has issued a data breach notification following a prolonged skimming attack on an undisclosed number of its e-commerce websites.
The cyber-attack was discovered by the multinational entertainment and record label conglomerate on August 5, 2020.
E-commerce websites that are hosted and supported by an external service provider in the US but operated by Warner were found to have been compromised by an unauthorized third party.
By installing data-skimming malware on the sites, the threat actor was able to access information being entered by customers.
Personal data compromised in the attack included names, email addresses, telephone numbers, billing addresses, shipping addresses, credit card numbers, card expiration dates, and CVC and CVV codes.
The as yet unidentified cyber-criminal accessed Warner customers’ personal information entered into the affected websites during transactions made between April 25, 2020, and August 5, 2020. Payments made through PayPal were reportedly not affected by this incident.
A data breach notice sent by Warner to the affected customers stated that “any personal information” customers had entered into the affected websites “after placing an item in your shopping cart was potentially acquired by the unauthorized third party.”
Warner said that it was prompt to inform relevant credit card providers and law enforcement of the breach. The company has not yet disclosed how many customers were affected by the incident.
Affected customers have been offered 12 months of identity monitoring services free of charge by Warner.
The cyber-attack comes three years after Warner fell victim to a phishing scam that resulted in the leak of 3.12 TB of internal data relating to Vevo, the company’s premium music video provider.
“Digital skimming and Magecart attacks continue to be a lucrative source of revenue for hackers as they continue to seek large targets for maximum payouts. For example, data stolen from an attack on another e-commerce platform in 2019 was valued at $133M on the dark web,” commented security evangelist at PerimeterX, Ameet Naik.
“Third-party platforms, scripts, and services are ideal targets for attackers because the techniques can be reused to steal data from multiple e-commerce sites.”