Cyber Incident Victim: Gamestop

In April 2017, GameStop Corp. confirmed it was investigating a potential breach of its gamestop.com website following third-party reports that customer payment card data was being sold online. The company initiated the investigation after being alerted to these claims and engaged a leading security firm to assess the situation. Financial industry sources indicated the compromise likely occurred between mid-September 2016 and early February 2017, based on alerts from credit card processors. The suspected stolen data included cardholder names, payment card numbers, expiration dates, billing addresses, and three-digit CVV2 security codes. While online merchants are prohibited from storing CVV2 data, attackers potentially captured this information through malicious software installed on GameStop's e-commerce platform, intercepting details before encryption during transactions. GameStop declined to specify the exact timeframe or confirm the types of compromised data, maintaining focus on its ongoing investigation.

The breach exclusively impacted gamestop.com customers, with no evidence of compromise at GameStop's 7,000+ physical retail locations across the United States, Canada, Australia, New Zealand, and Europe. As the 269th most visited U.S. website according to Alexa.com, the platform represented a significant revenue channel for the $8.6 billion company, though the proportion of online sales remained unspecified. GameStop advised customers to monitor payment card statements for unauthorized charges and promptly report discrepancies to issuing banks, noting cardholders typically bear no liability for timely reported fraudulent transactions under payment network rules. The company emphasized continuous efforts to address the issue but provided no further details regarding containment measures, forensic findings, or the number of affected customers. Its public statement expressed regret for customer concerns while stopping short of confirming the breach's validity or scope.