Categories: SecurityWorkspace

Warner Music Warns Of Three-Month Payment Card Hack

Warner Music Group has notified customers of a prolonged hack that allowed attackers to acquire payment details belonging to an unknown number of individuals.

In a letter to customers it believes may have been affected by the hack, Warner said the incident lasted from 25 April to 5 August.

The company learned of what had occurred on 5 August and took action, it said.

“Keeping personal information safe and secure is very important to us,” the multinational said in its letter.

Card skimming

“We deeply regret that this incident has occurred.”

The hack affected US-based e-commerce websites operated by Warner but hosted and supported by an external service provider, the company said.

“Any personal information you entered into one or more of the affected website(s) between April 25, 2020 and August 5, 2020 after placing an item in your shopping cart was potentially acquired by the unauthorised third party,” Warner stated.

The details potentially affected include name, email address, telephone number, billing address, shipping address and payment card details, including card number, security digits and expiration date.

It said PayPal transactions were not affected.


Warner said it has launched an investigation with outside security experts and took steps to correct the issue, as well as notifying card providers and law enforcement.

The company offered 12 months of free identity protection services to those affected, which it said  it hoped would “restore confidence”.

It urged customers to “remain vigilant for any unauthorised use of your payment cards or suspicious email communications”.

Warner didn’t indicate how many customers may have been affected.

The attack comes three years after the company was hit by a phishing scam that resulted in the leak of 3.12 TB of internal data relating to its music video provider, Vevo.

Targeted code

The latest Warner hack appears similar to a 2018 “skimming” attack on British Airways that allowed hackers to make off with details on hundreds of thousands of payment cards during the peak summer holiday season.

The Magecart group was said to have been responsible for the attack, which involved planting malicious code on BA’s website and mobile app.

BA said at the time that 380,000 transactions were affected by the scam, which involved the use of code customised specifically to run on BA’s site.

“The Magecart actors… have continually refined their tactics and targets,” computer security firm RiskIQ said at the time.

“We’re now seeing them target specific brands, crafting their attacks to match the functionality of specific sites.”

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Facebook Agrees To Pay French Newspapers

Social network giant Facebook signs copyright deal with local publishers - this time with a…

2 days ago

US Watchdog Questions Tech Giants On Electronic Payments

Consumer Financial Protection Bureau questions Amazon, Apple, Facebook, Google, PayPal, and Square over electronic payments

2 days ago

Apple To Require Daily Tests For Unvaccinated Staff

Unvaccinated staff working for Apple will be required to take a Covid-19 test, every time…

2 days ago

Sphere Chat App Acquired By Twitter

Second startup purchase by a big name tech firm for young British entrepreneur Nick D'Aloisio,…

3 days ago

Boeing Delays Starliner Launch Until 2022

Glitch with vehicle's propulsion system discovered in August still to be resolved, and crucial uncrewed…

3 days ago

Oversight Board: Facebook ‘Not Forthcoming’ On VIP Cross-check System

Facebook’s own oversight board has slammed the platform for withholding relevant information about its VIP…

3 days ago