Credit card details of 208 customers of ABS-CBN Corporation’s two online stores may have been stolen by the cyberthieves called Magecart, according to the TV network’s report on the cyberattack submitted to the National Privacy Commission (NPC).
The Magecart used a “malicious java script” to capture a customer’s payment card information while an online purchase transaction is in progress at store.abs-cbn.com and uaapstore.com from 16 August, when the code was uploaded, until 18 September, when the program was discovered, the report said citing the findings of the ABS-CBN’s Managed Security Service Provider (MSSP).
“The attacker was able to illegally obtain in real-time, the personal data of affected customers, including their name, credit card number, its expiration date, as well as the card verification number. Other data collected were the data subject’s email address, phone number, and residential address,” NPC said Friday citing the report.
The breach incident was noticed at 8:18 AM of 19 September through a ZDNet online article published nine hours earlier. It was reported about 25 minutes later to the MSSP, which found the malicious backdoor program from the ABS-CBN online store. The management then instruct its third-party vendor to take the online store website down. The compromised site was taken down at 9:28 AM of the same day.
The online store has 44,000 registered users. During the period when the site was compromised, there were a total of 208 validated purchase transactions from unique customers, according to the report.
The company said, within 72 hours upon discovery of the breach, it was able to inform 202 affected data subjects through email and/or cell phone message. There were six customers, however, who either did not provide a contact number or has an invalid email address; they will have to reach them via postage mail.
Affected data subjects were advised by ABS-CBN to immediately inform their bank and credit card provider and change their password. They were also warned not to give any personal or financial information to anyone who may claim to be a company representative.
The MSSP also found suspicious logins from one of the administrator accounts of the third-party vendor, which the concerned administrator acknowledged to be not his. ABS-CBN then required its third-party vendor to reset all passwords and use two-factor authentication.
The NPC said had ABS-CBN insisted its third-party developer use multi-factor authentication earlier, the site would not have been compromised.
It advise Personal Information Controllers and Personal Information Processors to monitor their systems regularly, and have security checks in place, including the full implementation of at least two-factor authentication.
ABS-CBN’s Data Protection Officer, Jay C. Gomez, said the incident is likely a coordinated attack and part of the massive card skimming campaign of Magecart.
Magecart had been linked to the attacks on ticket-selling giant Ticketmaster, U.K. airline British Airways and other e-commerce sites worldwide. Data stolen by the gang is forwarded to a server in the city of Irkutsk in Russia’s eastern Siberia.
The NPC’s investigation of the breach incident is still on-going. Meanwhile, store.abs-cbn.com remains inaccessible. WJG