Cyber Incident Victim: The Topps Company

On December 26, 2018, Topps discovered unauthorized access to its sports collectible website, Topps.com, prompting an investigation that revealed a MageCart attack. Attackers had injected malicious code into the site’s checkout or cart pages, enabling the theft of customer payment and personal information submitted during transactions. The malicious script operated undetected for nearly seven weeks, from November 19, 2018, until its removal on January 9, 2019. Topps confirmed the script captured data in real time as customers entered details during purchases, transmitting it to attacker-controlled servers. The company’s breach notification clarified that PayPal transactions were unaffected, as the malicious code only intercepted data from direct purchases processed through the Topps website.

The compromised data included names, mailing addresses, telephone numbers, email addresses, credit or debit card numbers, card expiration dates, and security codes. Topps responded by upgrading its website software and removing the malicious script on January 9, 2019, ending the data exfiltration. The company advised affected customers—those making purchases between November 19, 2018, and January 9, 2019—to monitor credit reports and card statements for fraudulent activity and to notify their card issuers of the breach. No evidence suggested broader system compromise beyond the checkout process, and the incident remained confined to payment data entered during the script’s active period. Topps did not disclose the number of impacted customers or whether law enforcement was involved in the investigation.