The Green Bay Packers recently disclosed a significant cybersecurity incident affecting over 8,500 customers who made purchases through their official Pro Shop online store. The breach, occurring in September 2023, resulted in the theft of sensitive customer credit card information.
The attack was discovered on October 23, prompting immediate shutdown of all payment capabilities on packersproshop.com. Forensic investigation revealed that cybercriminals had injected malicious code into the checkout page during two periods: September 23-24 and October 3-23, 2023.
The compromised data includes:
– Customer names
– Billing and shipping addresses
– Email addresses
– Credit card information (numbers, expiration dates, and CVVs)
Notably, transactions made through alternative payment methods including PayPal, Amazon Pay, gift cards, and Pro Shop website accounts remained secure.
Technical analysis by Dutch security firm Sansec identified that attackers exploited YouTube’s oEmbed feature and JSONP callback to bypass security protocols. The malicious script, operating from js-stats.com, captured customer input data during checkout.
In response, the Packers are offering affected customers three years of complimentary identity theft restoration and credit monitoring services through Experian. The organization has also implemented additional security measures and is working with their website vendor to prevent future incidents.
This breach follows a similar incident involving the San Francisco 49ers in 2022, where over 20,000 individuals’ personal information was compromised in a ransomware attack.