Cyber Incident Victim: The Topps Company
Date:
Oct 2016
Location:
United States of America
Summary
A trading card company experienced unauthorized system access by hackers, potentially compromising customer names, addresses, email addresses, phone numbers, and payment card details including numbers, expiration dates, and security verification codes. The breach occurred over several months before being addressed, with the company offering affected individuals complimentary identity theft protection services. A security researcher had previously identified and reported vulnerabilities in the firm's mobile applications, which were initially resolved but followed by another exposed database that received no response. Cybersecurity experts criticized the exposure of unencrypted financial data as a severe failure, highlighting potential regulatory consequences.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late 2016, Topps—a New York-based collectible trading card company producing Star Wars, Disney Frozen, Top Gear, and UEFA Champions League merchandise—disclosed a cybersecurity incident affecting customer data. Between approximately 30 July and 12 October 2016, unauthorized intruders breached Topps' systems, potentially accessing names, addresses, email addresses, phone numbers, credit/debit card numbers, card expiration dates, and card verification numbers (CVV) of customers who made purchases during that period. The company notified affected customers via email, stating the vulnerability had been fixed post-incident. Multiple customers shared the notification on social media, and Sports Collectors Daily published the full advisory. The breach exposed financial data in a manner described by University of Surrey cybersecurity expert Prof. Alan Woodward as "unforgivable," raising questions about whether payment details were stored unencrypted and the adequacy of regulatory oversight.
Prior to the breach, security researcher Chris Vickery had identified exposed databases containing customer account information for three Topps mobile apps—Bunt, Huddle, and Kick—in June 2016, which were subsequently secured. However, Vickery later discovered another unprotected database with user data across all three apps and received no response from Topps when reporting it. The company, part-owned by former Disney CEO Michael Eisner’s investment fund, offered one year of complimentary identity theft protection to impacted individuals. The incident highlighted concerns over persistent vulnerabilities in Topps’ systems despite prior warnings, though no specific attacker motives or identities were disclosed. Forensic details regarding intrusion methods, internal detection timelines, or broader operational disruptions remained unconfirmed in available reports.