Cyber Incident Victim: Warner Music Group

Warner Music Group experienced a web skimming incident impacting several US-based e-commerce websites hosted and supported by an external service provider. The breach occurred between April 25, 2020, and August 5, 2020, during which unauthorized third parties injected malicious code to capture customer payment information. This form of attack, commonly referred to as "magecart," compromised data entered by users after placing items in shopping carts on affected sites. Exfiltrated information included names, email addresses, telephone numbers, billing and shipping addresses, and payment card details such as card numbers, CVC/CVV codes, and expiration dates. Warner Music confirmed PayPal transactions were not vulnerable to the skimming operation. The company did not disclose specific compromised storefronts or identify affiliated music studios impacted by the breach, leaving customers unable to self-assess their exposure risk due to the absence of individualized notifications or a published list of affected properties.

Warner Music filed a data breach notification with the California Office of the Attorney General on September 3, 2020, advising customers of the four-month intrusion window and potential data compromise. The company offered impacted individuals free credit monitoring services through Kroll, with enrollment details included in the notification letter. No technical details regarding the initial intrusion vector, malware deployment methods, or containment procedures were publicly disclosed. The incident exposed limitations in third-party vendor security controls, as the breach originated within infrastructure managed by the external service provider supporting Warner’s e-commerce operations. Financial ramifications, regulatory penalties, and the total number of affected customers remained unquantified in available disclosures.