Cyber Incident Victim: Blowout Cards
Date:
Jan 2017
Location:
United States of America
Summary
A sports card trading website suffered a payment card skimming attack after an attacker modified a PHP file on its checkout system, compromising customer names, addresses, email addresses, phone numbers, payment card numbers, expiration dates, and verification codes. The breach impacted customers who checked out through the site's shopping cart over a multi-month period, excluding PayPal users. Following customer reports of fraudulent transactions, the company initiated an investigation with third-party forensic experts, removed the malicious code, and secured the exploited vulnerability. It notified potentially affected individuals via email and a website alert but faced criticism for insufficiently prominent breach communication. The organization did not disclose the exact vulnerability exploited or the number of affected customers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Blowout Cards, a sports and trading card retailer owned by Frontline Collectibles Inc., disclosed a payment card-skimming breach affecting customers who made purchases through its website shopping cart between January 2017 and April 20, 2017. The company confirmed on April 25, 2017, that attackers compromised customer names, addresses, email addresses, phone numbers, credit/debit card numbers, expiration dates, and card verification codes by modifying a payment processing PHP file on its e-commerce platform. The breach was discovered after customers began reporting fraudulent transactions on the company's forums starting April 19, with one user noting unauthorized charges on a card used exclusively at Blowout Cards and The New York Times. A forum administrator acknowledged the potential breach investigation on April 20, 2017, adding a homepage link to the discussion thread on April 21. Forensic analysis revealed attackers exploited a vulnerability to inject malicious code that captured payment card data during checkout transactions, though PayPal users were unaffected. Customers reported fraudulent charges ranging from small to large amounts, with some indicating ongoing fraud attempts after the initial reports.
Blowout Cards issued a formal security alert via email and website notification on April 24, 2017—four days after initiating its investigation—stating it had removed the malicious PHP file and secured the exploited vulnerability. The company engaged third-party digital forensic investigators and a data security firm to examine its network, strengthen system protections, and collaborate with its web development and hosting providers. President Thomas Fish confirmed notifications were sent to all potentially compromised individuals but declined to disclose the number of affected customers. Some users criticized the company for not prominently displaying the alert on its homepage or disseminating it through social media channels like Twitter and Facebook. While Blowout Cards did not publicly identify the specific vulnerability or confirm its e-commerce platform, forum users suggested outdated Zen Cart shopping cart software might have been involved based on the PHP/MySQL infrastructure described. The company advised customers to monitor card statements for suspicious activity and report fraud to their card providers, pledging future communications about enhanced security measures.