Cyber Incident Victim: Direct Marketing Association

The Direct Marketing Association (DMA) experienced a data breach involving its online bookstore, a subsection of its website operated by an unnamed third-party vendor. On January 8, 2015, DMA submitted a breach notification template to the Maryland Attorney General’s Office disclosing that malware had been inserted into the server hosting the bookstore. Forensic investigation confirmed the malware’s presence compromised payment card data processed through the affected system. The exposed information included cardholder names, credit or debit card numbers, card expiration dates, and security codes (CVV/CVC). DMA did not specify the duration of the malware’s activity or the period during which data exfiltration may have occurred. The breach notification was not publicly posted on the official websites of California, Vermont, or New Hampshire, limiting visibility into its regional disclosure scope.

DMA’s response included direct notifications to affected consumers, though the exact number of impacted individuals remains undisclosed. The organization offered one year of complimentary credit monitoring services to mitigate potential fraud risks stemming from the incident. No additional remediation steps or security enhancements were detailed in the available notification template. The breach was confined to the bookstore’s server infrastructure, with no evidence of compromise to other DMA systems or website sections. Third-party involvement in server management introduced supply-chain vulnerabilities, though DMA did not identify the vendor or clarify responsibility for the security failure. The absence of a confirmed data-exfiltration timeframe hindered precise impact assessments for affected consumers.