Attackers made off with full payment card details from Warner Music Group e-commerce sites from April to August of this year, company tells customers
Warner Music Group has notified customers of a prolonged hack that allowed attackers to acquire payment details belonging to an unknown number of individuals.
In a letter to customers it believes may have been affected by the hack, Warner said the incident lasted from 25 April to 5 August.
The company learned of what had occurred on 5 August and took action, it said.
“Keeping personal information safe and secure is very important to us,” the multinational said in its letter.
“We deeply regret that this incident has occurred.”
The hack affected US-based e-commerce websites operated by Warner but hosted and supported by an external service provider, the company said.
“Any personal information you entered into one or more of the affected website(s) between April 25, 2020 and August 5, 2020 after placing an item in your shopping cart was potentially acquired by the unauthorised third party,” Warner stated.
The details potentially affected include name, email address, telephone number, billing address, shipping address and payment card details, including card number, security digits and expiration date.
It said PayPal transactions were not affected.
Warner said it has launched an investigation with outside security experts and took steps to correct the issue, as well as notifying card providers and law enforcement.
The company offered 12 months of free identity protection services to those affected, which it said it hoped would “restore confidence”.
It urged customers to “remain vigilant for any unauthorised use of your payment cards or suspicious email communications”.
Warner didn’t indicate how many customers may have been affected.
The attack comes three years after the company was hit by a phishing scam that resulted in the leak of 3.12 TB of internal data relating to its music video provider, Vevo.
The latest Warner hack appears similar to a 2018 “skimming” attack on British Airways that allowed hackers to make off with details on hundreds of thousands of payment cards during the peak summer holiday season.
The Magecart group was said to have been responsible for the attack, which involved planting malicious code on BA’s website and mobile app.
BA said at the time that 380,000 transactions were affected by the scam, which involved the use of code customised specifically to run on BA’s site.
“The Magecart actors… have continually refined their tactics and targets,” computer security firm RiskIQ said at the time.
“We’re now seeing them target specific brands, crafting their attacks to match the functionality of specific sites.”