Updated Leicester City Football Club has quietly told people who bought stuff from its website that their financial details have been stolen by hackers – and those details include credit card numbers and CVVs.
Reg reader Yazza, a Foxes follower, received an email from the British club 'fessing up to the hack attack, which affected its merchandise site, shop.lcfc.com.
The network intrusion itself took place on 6 May, with a follow-up email being sent earlier this week. That email read, in part:
Technical investigations are still ongoing, but we can confirm that as a result of the incident your payment card information was compromised. This includes your card number, name of card holder, expiry date and CVV. We can confirm that your SecureCode was not compromised. That information is needed to attempt to conduct transactions using your account.
The PCI-DSS standards explicitly state that if your business is storing card details, they must be encrypted – ideally, salted and hashed. It's also a ridiculously bad idea to capture and store CVVs alongside card numbers and expiry dates.
SecureCode is an optional Mastercard thing that adds an extra layer of authentication to online card transactions.
Yazza suspected that LCFC's site is running the Magento ecommerce platform and suggested to The Register that one potential attack vector could have been the Magecart malware. We have no information to support this theory, though a recent Magecart infection on a third-party site wound up infecting rent-a-blogger serious business news website Forbes. It is possible that an infection of a third-party site whose elements are used by LCFC's online shop could have spread to the football club.
LCFC itself didn't respond to our questions, though we suspect asking them about something other than pink away shirts or their ninth-place finish in the Premier League probably needs a bit more explanation.
Nonetheless, the footie club wasted an opportunity to tell us they are desperately sorry for leaking data and that they take the security of customers' data very seriously.
It is not clear how many fans were caught up in this cyber-attack.
An LCFC fan forum features posts where some appear to suggest that fraudulent transactions have been made on their credit cards following the hack. ®
LCFC ignored The Register's questions and issued a prepared statement full of the usual vague assurances.
"Last month, the Club discovered a criminal online security breach, which had compromised the personal and financial information of some users of its online retail platform between 23 April and 4 May, 2019," said an anonymous club spokesman.
"All supporters potentially affected were immediately identified and contacted to alert them to the breach and to recommend appropriate action. Upon discovery of the breach, the security of our retail platform was immediately restored and appropriate measures were taken to ensure the security of all other online assets," they continued, adding that police and the Information Commissioner's Office had been informed too.