STE WILLIAMS

Own goal for Leicester City FC after fan credit card details snatched in merch store hack

Leicester City Football Club has quietly told people who bought stuff from its website that their financial details have been stolen by hackers – and those details include credit card numbers and CVVs.

Reg reader Yazza, a Foxes follower, received an email from the British club ‘fessing up to the hack attack, which affected its merchandise site, shop.lcfc.com.

The network intrusion itself took place on 6 May, with a follow-up email being sent earlier this week. That email read, in part:

Technical investigations are still ongoing, but we can confirm that as a result of the incident your payment card information was compromised. This includes your card number, name of card holder, expiry date and CVV. We can confirm that your SecureCode was not compromised. That information is needed to attempt to conduct transactions using your account.

The PCI-DSS standards explicitly state that if your business is storing card details, they must be encrypted – ideally, salted and hashed. It’s also a ridiculously bad idea to capture and store CVVs alongside card numbers and expiry dates.

SecureCode is an optional Mastercard thing that adds an extra layer of authentication to online card transactions.

Yazza suspected that LCFC’s site is running the Magento ecommerce platform and suggested to The Register that one potential attack vector could have been the Magecart malware. We have no information to support this theory, though a recent Magecart infection on a third-party site wound up infecting rent-a-blogger serious business news website Forbes. It is possible that an infection of a third-party site whose elements are used by LCFC’s online shop could have spread to the football club.

LCFC itself didn’t respond to our questions, though we suspect asking them about something other than pink away shirts or their ninth-place finish in the Premier League probably needs a bit more explanation.

Nonetheless, the footie club wasted an opportunity to tell us they are desperately sorry for leaking data and that they take the security of customers’ data very seriously.

It is not clear how many fans were caught up in this cyber-attack.

An LCFC fan forum features posts where some appear to suggest that fraudulent transactions have been made on their credit cards following the hack. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/31/leicester_city_fc_hacked_credit_card_data/

  • 31/05/2019
  • adm
Comments are closed.