Games developer Nippon Ichi Software (NIS) America has admitted that customers of two of its US online stores are at risk of credit card fraud after they were hacked.
Like something out of our What you sound like after a data breach article, it’s offering customers a $5 (£3.60) online voucher with no promise of credit checking beyond what the US Government already offers for free.
In social media posts and an email sent on 1 March, NIS said that the breach affecting nisamerica and snkonlinestore happened on 23 January and continued until it was discovered on 26 February.
During that period:
Your personal information, including your payment information, may have been compromised.
Which, when you read further into the alert email, turns out to be an understatement.
After entering their billing, shipping, and payment information, the customer would be temporarily redirected to an offsite web page not owned or operated by NIS America, Inc.
This “malicious process” grabbed everything entered by customers, including billing and shipping address, and credit card data (including the CVV number), before returning customers to the NIS America page to complete the transaction none the wiser. Only PayPal customers were not affected.
NIS said it has taken steps to close the vulnerability that led to the breach, which leaves us guessing as to exactly what that vulnerability might have been.
On Twitter, security researcher Kevin Beaumont claimed he’d been told that the weakness was a writable Amazon AWS S3 bucket, which hosted a JavaScript redirection to a third-party server.
NIS hasn’t confirmed this detail of the breach, so it remains informed but plausible speculation.
For now, the company’s biggest problem seems to be customer anger, not only at the severity of the breach but an offer to compensate victims by applying the $5 discount against future purchases. Said NIS:
We understand that this is a small token, but we hope it will show our commitment and appreciation of our customers as we begin to regain your trust.
After posting what was claimed to be a sequence of fraudulent card transactions running to $1,000, one Twitter user responded:
The five dollars will really help here.
NIS offered customers a link to the Federal Trade Commission’s identity theft service, which offers US citizens affected by data breaches a free 90-day fraud alert via one of several credit reference agencies.
A standard response in data breaches – especially ones that involve live credit card data – would be at least a year of credit checking and lock, as was the case for affected users after September’s massive Equifax breach.
This could be a test case for US regulators. NIS is no Equifax, but smaller breaches should not be ignored simply because they are smaller.