[BreachExchange] Warner Music Group Discloses Data Breach

Destry Winant destry at riskbasedsecurity.com
Tue Sep 8 10:24:07 EDT 2020 

https://www.infosecurity-magazine.com/news/warner-music-group-discloses-data/

Warner Music Group has issued a data breach notification following a
prolonged skimming attack on an undisclosed number of its e-commerce
websites.

The cyber-attack was discovered by the multinational entertainment and
record label conglomerate on August 5, 2020.

E-commerce websites that are hosted and supported by an external
service provider in the US but operated by Warner were found to have
been compromised by an unauthorized third party.

By installing data-skimming malware on the sites, the threat actor was
able to access information being entered by customers.

Personal data compromised in the attack included names, email
addresses, telephone numbers, billing addresses, shipping addresses,
credit card numbers, card expiration dates, and CVC and CVV codes.

The as yet unidentified cyber-criminal accessed Warner customers'
personal information entered into the affected websites during
transactions made between April 25, 2020, and August 5, 2020. Payments
made through PayPal were reportedly not affected by this incident.

A data breach notice sent by Warner to the affected customers stated
that "any personal information" customers had entered into the
affected websites "after placing an item in your shopping cart was
potentially acquired by the unauthorized third party."

Warner said that it was prompt to inform relevant credit card
providers and law enforcement of the breach. The company has not yet
disclosed how many customers were affected by the incident.

Affected customers have been offered 12 months of identity monitoring
services free of charge by Warner.

The cyber-attack comes three years after Warner fell victim to a
phishing scam that resulted in the leak of 3.12 TB of internal data
relating to Vevo, the company's premium music video provider.

“Digital skimming and Magecart attacks continue to be a lucrative
source of revenue for hackers as they continue to seek large targets
for maximum payouts. For example, data stolen from an attack on
another e-commerce platform in 2019 was valued at $133M on the dark
web," commented security evangelist at PerimeterX, Ameet Naik.

"Third-party platforms, scripts, and services are ideal targets for
attackers because the techniques can be reused to steal data from
multiple e-commerce sites."

More information about the BreachExchange mailing list