Categories: SecurityWorkspace

Warner Music Warns Of Three-Month Payment Card Hack

Warner Music Group has notified customers of a prolonged hack that allowed attackers to acquire payment details belonging to an unknown number of individuals.

In a letter to customers it believes may have been affected by the hack, Warner said the incident lasted from 25 April to 5 August.

The company learned of what had occurred on 5 August and took action, it said.

“Keeping personal information safe and secure is very important to us,” the multinational said in its letter.

Card skimming

“We deeply regret that this incident has occurred.”

The hack affected US-based e-commerce websites operated by Warner but hosted and supported by an external service provider, the company said.

“Any personal information you entered into one or more of the affected website(s) between April 25, 2020 and August 5, 2020 after placing an item in your shopping cart was potentially acquired by the unauthorised third party,” Warner stated.

The details potentially affected include name, email address, telephone number, billing address, shipping address and payment card details, including card number, security digits and expiration date.

It said PayPal transactions were not affected.


Warner said it has launched an investigation with outside security experts and took steps to correct the issue, as well as notifying card providers and law enforcement.

The company offered 12 months of free identity protection services to those affected, which it said  it hoped would “restore confidence”.

It urged customers to “remain vigilant for any unauthorised use of your payment cards or suspicious email communications”.

Warner didn’t indicate how many customers may have been affected.

The attack comes three years after the company was hit by a phishing scam that resulted in the leak of 3.12 TB of internal data relating to its music video provider, Vevo.

Targeted code

The latest Warner hack appears similar to a 2018 “skimming” attack on British Airways that allowed hackers to make off with details on hundreds of thousands of payment cards during the peak summer holiday season.

The Magecart group was said to have been responsible for the attack, which involved planting malicious code on BA’s website and mobile app.

BA said at the time that 380,000 transactions were affected by the scam, which involved the use of code customised specifically to run on BA’s site.

“The Magecart actors… have continually refined their tactics and targets,” computer security firm RiskIQ said at the time.

“We’re now seeing them target specific brands, crafting their attacks to match the functionality of specific sites.”

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

US DoJ Charges Six Russian GRU Officers For Cyberattacks

Hackers also targeted this year's delayed Olympic Games in Tokyo says UK, as the US…

1 hour ago

Google Discloses Biggest-Ever DDoS Attack

Google says it successfully fended off a 2.5 Tbps denial-of-service attack in 2017, making it…

1 day ago

Microsoft Issues Two Emergency Windows Patches

Microsoft publishes out-of-band patches for bugs in Visual Studio Code and Windows Codecs Library that…

1 day ago

Zoom Introduces Paid Events, In-Meeting Apps

Zoom aims to capitalise on its massively increased user base with platform for paid events…

1 day ago

European Telecoms Trade Group Warns Against Banning Chinese Vendors

Banning Chinese telecoms equipment vendors for political reasons will increase costs and delay network upgrades,…

1 day ago

Twitter Changes Policy On Blocking ‘Hacked Materials’

Twitter will no longer block links to articles containing hacked materials, following criticism over treatment…

1 day ago