Credit card info stolen from Strat's site

Got me. Just bought the ratings guide.

Reposting this from another thread for visibility:

It looks like if you are on the marketing email list, you got notified.

Code: Select all

February 8th, 2021

To our loyal customers-

We are writing to let you know that we just learned that several customers who used credit cards on our website during January and February 2021 were subsequently notified of fraudulent transactions on their credit cards.  Upon learning this information, we immediately began an investigation and took steps to ensure the security of our website. 

When we complete our investigation, we will be back in touch with additional information, but wanted to send you this notice in the meantime so that you can immediately contact your credit card company and ensure that you are not impacted as well.

In addition, we have taken the proactive step of disabling credit card functionality on our website. You can still place new orders and securely pay with your credit card through the link on our site to PayPal, even if you don’t have a PayPal account. 

We have also engaged a third party to investigate and we will update as we learn more.

Any pre-order previously placed will be sent upon commencement of shipping later this month.

Apologies for any inconvenience this has caused our amazing customers and community.   

Be well.  Play well.

Your Friends at Strat-O-Matic

A couple things on this, only because it's part of what I oversee in my work.

The scope of the communication really should have been driven by the contact info in the online order platform and not the marketing database, but it's a mom and pop shop so they probably don't know that.

When breaches happen, the standard incident response is to notify ALL of the online customers, regardless of when the transaction occurred. Then, it is common operating procedure to offer the at risk customers free identity fraud protection (like NortonLifeLock, Experian, IdentityGuard...) for 12-24 months, paid for by the company.

SOM is a very small company and probably don't have the experience to know what the best practices are unfortunately. Per their email, they are outsourcing the investigation, not unheard of in a company this size, and hopefully the cyber security company will advise to follow up with a more thorough communication and complimentary identity fraud protection.

I don't expect that SOM will pick up the cost for the monitoring though, hopefully I am wrong. If they don't, these services aren't very expensive for an individual and can be valuable if you have an active online consumer presence. You could consider signing up on your own. Some even have trials that you can sign up for, free of charge for 30-60 days.

It's important to keep in mind though, that the time frame of the risk extends well beyond immediate period after the breach occurred. Information is sold and traded in the identity theft community and can be used up until the expiration date of the credit card (the expiration date is part of the breach data).

I hope this was helpful to anyone that is concerned about the risk associated with the breach. I've gotten a lot from this community over the years and would be glad if this was a chance to contribute back to it.

Rob

I think this hack happened long before Jan. Mine was late October. Going forward, I'm wary of doing biz with Strat.

We instantly believe the initial messaging or wording, like this happened in Jan. or Feb., but who really knows?? Don't trust the authority source, geez.

They got me too. I purchased some credits from Strat and was hit with a $700 bill from a Harley Davidson dealer in Wisconsin. Fortunately, my bank caught it before I did and took care of it. Thank you USAA.

Matt

OK, updating the status on this. Another manager forwarded this to me, he just received it:

Code: Select all

February 10th, 2021

To our loyal customers-

We are writing to let you know that on February 8th, we learned that several customers who used credit cards on our website during January and February 2021 were subsequently notified of fraudulent transactions on their credit cards.  This happened despite the strict security protocols we maintain at Strat-O-Matic and on strat-o-matic.com   Sadly, we join a long list of companies (large and small) who have had customer information stolen.   However, it is important to note that identities were not stolen, as Strat-O-Matic has no social security or birthdate information for our customers.   We also do not store credit card information (you must re-enter your credit card every time you purchase at Strat-O-Matic).  Despite these precautions, our investigation to date has revealed that hackers were able to intercept credit card numbers inputted into our site for the period from January 5, 2021 through February 8, 2021. 

Our investigation to date indicates this incident only impacts individuals who conducted credit card transactions on our website between January 5, 2021 and February 8, 2021.  The investigation also indicates that this criminal activity has not impacted anyone who used PayPal to pay for purchases on our site, even if the purchase was made with a credit card via PayPal during the relevant time period.

If you used a credit card directly on our site without PayPal between January 5, 2021 and February 8, 2021, we would strongly recommend either canceling the credit card or informing your credit card issuer that your card could be used for fraudulent charges.

On February 8, 2021, we learned of this incident, and immediately took steps to stop any further abuse. First, we began an investigation to review our site and determine if we had been attacked. We also emailed those potentially affected by the incident, suggesting that they check with their credit card companies to ensure they are protected from any unauthorized use of their credit cards. 

We are emailing our entire community today in order to be open with you about the incident and to avoid any miscommunication.   To ensure that this sort of incident cannot recur, we have taken the proactive step of disabling credit card functionality on our website. You can still place new orders and securely pay with your credit card through the link on our site to PayPal, even if you don’t have a PayPal account.   PayPal is one of the industry leaders in customer data, security and privacy.   

Any pre-order previously placed will be sent upon commencement of shipping later this month without any sort of disruption due to this situation.

Our sincere apologies for any inconvenience this has caused our amazing customers and community.   

Be well.  Play well.

Your Friends at Strat-O-Matic

Based on this communication, what likely happened is that their e-commerce platform had a security vulnerability that was exploited. The hackers installed malware that sat on their network undetected, capturing and downloading all data passing through the site. The hackers then take that data and scan for personal information such as, names, addresses, credit cards #s, security codes, user IDs and passwords, and create a database of information from it. The hackers then immediately sell and use the credit card info, but they also match all of the data against a database of information that they have accumulated from other hacking activity (that they have done, purchased, traded for) and use it for identity theft.

SOM stated that SOM doesn't store the information on their platform (sounds correct) and that there isn't enough personal data from this specific incident for the hackers to steal someone's identity (also sounds correct), but there is still a risk for identity theft since the data is now exposed and distributed. The malware method used here captured data as it was transmitted, so even though it isn't "stored", it was still captured.

Here some links on what to do if your credit card is stolen, they all basically say the same thing:
Lifelock - https://www.lifelock.com/learn-credit-finance-what-to-do-if-you-lose-a-credit-card.html
CNBC - https://www.cnbc.com/select/what-to-do-if-your-credit-card-is-stolen/
Experian - https://www.experian.com/blogs/ask-experian/credit-education/preventing-fraud/credit-card-fraud-what-to-do-if-you-are-a-victim/

Credit card fraud can be very costly depending on the policies of the credit company. Amex is great with fraud protection, other's not so much. So depending on the card you use on the web, your financial exposure will vary, it's good to know how each of your credit card companies handle fraud.

Hope this helps,

Rob

Wells Fargo is also good at fraud. In the past I have had a couple problems and they took care of it immediately. I also signed so I get text messages every time my card is used. Back in 2012 I was setting at my kitchen table in Houston Tx and got a text message that I bought a airline ticket in NY going to Frankfurt. So I called Wells Fargo and they declined that and suspended my card. Over the next week I kept getting texts saying my card was declined. Who ever had my card was trying to get a free vacation. It was decline in Frankfurt, London, Paris, then back in LA. The whole time my account was not link to that card anymore.
So I guess I'm trying to say, if you have the option to signed up to get text messages with your CC company I would do it ASAP.

I’ve had 3 cards compromised in the last year. Switched to PayPal when dealing with SOM purchases back in DEC. starting to think they’re the source of all my issues. Thankfully, my credit union is great with this. We’ve always gotten notifications, and always got our money back.

I've been hacked twice since the first of the year. Fortunately my bank, TDBank, was on the ball and shut my account down as soon as signs of fraudulent activity showed up. I just exchanged my old debit card for a new one yesterday (for the second time) and have been scratching my head as to the source of the problem. At least now I know.

Hopefully SOM will get it figured out quickly as it is a small company primarily dependent upon internet sales and without confidence in it's security this could prove catastrophic.

Not to mention that , thanks to Winberry, they are practically computer illiterate.