[BreachExchange] Guitar Tuition Website Suffers Six-Month Data Breach

Destry Winant destry at riskbasedsecurity.com
Wed Mar 18 10:17:06 EDT 2020 

https://www.infosecurity-magazine.com/news/guitar-tuition-website-suffers/

A Florida company that offers guitar lessons online to millions of
students around the world has suffered a data breach.

Unauthorized access of TrueFire's computer system went on for six
months before the breach was detected on January 10, 2020.

In a data breach notification letter dated March 9, 2020, and signed
by TrueFire Chief Customer Officer Ren Wright, users who made
purchases via the website truefire.com between August 3, 2019, and
January 14, 2020, were warned that their data may have been
compromised.

Wright said that data exposed during the lengthy breach may have
included names, addresses, payment card account numbers, card
expiration data, and security codes.

Though the company does not store customers' payment card information
itself, it warned that threat actors with access to its computer
system may have been able to steal this information in real time as
users bought classes and courses.

Wright wrote: "On January 10, 2020, TrueFire discovered that an
unauthorized person gained access to our computer system and, more
specifically, to information that consumers had entered through our
website.

"While we do not store credit card information on our website, it
appears that the unauthorized person gained access to the website and
could have accessed the data of consumers who made payment card
purchases, while that data was being entered, between August 3, 2019
and January 14, 2020."

TrueFire did not reveal how the breach was discovered but said that it
has been reported to law enforcement. The company also said that it is
"working with computer forensic specialists to determine the full
nature and scope of the intrusion."

The company has advised its users to review their credit and debit
card statements and check for any discrepancies or unusual activity.

"You should also remain vigilant and continue to monitor your
statement for unusual activity going forward," wrote Wright. No offer
was made to provide users with free credit monitoring services.

In their breach notification letter, TrueFire gave no reason as to why
they waited until March 9 to inform users of the breach that was
discovered on January 10. No mention of the data breach could be found
on the TrueFire website at time of publication.

More information about the BreachExchange mailing list