American football team Green Bay Packers says cybercriminals stole the credit card data of over 8,500 customers after hacking its official Pro Shop online retail store in a September breach.
In breach notification letters sent to affected individuals this week, the National Football League (NFL) team said it immediately disabled all checkout and payment capabilities after being notified on October 23 that the packersproshop.com website was breached.
While the letters didn’t share the number of impacted customers impacted, the football team said in documents filed with Maine’s Attorney General on Monday that the incident affected 8,514 people.
A follow-up investigation found that the attackers injected a credit card stealer in the store’s checkout page to harvest personal and payment information. However, the Packers said the attacker couldn’t intercept information from any payments made using gift cards, a Pro Shop website account, PayPal, or Amazon Pay.
“We also immediately required the vendor that hosts and manages the Pro Shop website to remove the malicious code from the checkout page, refresh its passwords, and confirm there were no remaining vulnerabilities,” the Packers’s Director of Retail Operations Chrysta Jorgensen explained.
“Based on the results of the forensic investigation, on December 20, 2024 we discovered that the malicious code may have allowed an unauthorized third party to view or acquire certain customer information entered at the checkout that used a limited set of payment options on the Pro Shop website between September 23-24, 2024 and October 3-23, 2024.”
The breach impacted information entered on the Pro Shop website at checkout, including names, addresses (billing and shipping), email addresses, credit card types and numbers, card expiration dates, and credit card verification numbers (CVVs).
The Packers has yet to share how the threat actor hacked its Pro Shop website; however, Dutch e-commerce security company Sansec, which spotted the Packers store breach in early October, found that the card skimming attack used YouTube’s oEmbed feature and a JSONP callback to bypass the Content Security Policy (CSP).
”In this attack, a script was injected from https://js-stats.com/getInjector. This script harvested data from input, select, and textarea fields on the site, exfiltrating the captured information to https://js-stats.com/fetchData,” Sansec said in a December 31 report.
The NFL team offers affected people three years of identity theft restoration and credit monitoring services through Experian and advises them to track their account statements for fraudulent activity.
Anyone observing identity theft or fraud attempts should report them to their bank and the appropriate authorities, including the Federal Trade Commission (FTC) and the state attorney general.
In September 2022, the San Francisco 49ers also notified over 20,000 individuals that attackers stole their personal information (including Social Security numbers) in a February 2022 breach later claimed by the Blackbyte ransomware gang.
