US-based multinational entertainment and record label Warner Music Group has disclosed a web-skimming attack that may have let cybercriminals steal customers’ personal and financial data.
According to a data breach notification submitted with California’s Office of the Attorney General, the incident involved an undisclosed “number of e-commerce websites operated by Warner Music Group (“WMG”) through an external service provider,” and “may have allowed an unauthorized third party to acquire a copy of personal information you entered into those websites.”
The letter specifies that the attackers retained unauthorized access to some WMG operated e-commerce websites between April 25 and August 5, 2020, allowing the perpetrators to view information customers entered during the purchase process.
Although the company could not specifically identify the extent of compromised customer data, attackers could have viewed full names, email addresses, telephone numbers, billing addresses, shipping addresses and credit card details such as card number, CVC/CVV and expiration date. “Payments made through PayPal were not affected by this incident,” WMG added.
“While we cannot definitively confirm that your personal information was affected, it is possible that it might have been as your transaction(s) occurred during the period of compromise,” WMG said. “If it was, this might have exposed you to a risk of fraudulent transactions being carried out using your details. Any personal information you entered into one or more of the affected website(s) between April 25, 2020 and August 5, 2020 after placing an item in your shopping cart was potentially acquired by the unauthorized third party.”
Unfortunately, the company offered no list of affected e-commerce websites, making it nearly impossible for WMG shoppers to tell if they are at risk for identity theft and fraud.
In response to the data breach, Warner Music said it also contacted credit card providers and law enforcement agencies to help with the investigation. Additionally, shoppers are provided with a 12-month credit monitoring service and are asked to check their credit card statements for any suspicious transactions.