U.S. online store PulseTV has disclosed a large-scale customer credit card compromise. As per the notification letter shared with the Office of the Maine Attorney General, more than 200,000 shoppers have been impacted.
The platform found out about a potential breach from VISA on March 8, 2021, who informed them that unauthorized credit card transactions were taking place on the site.
After running some security checks and scanning for malware, PulseTV was unable to pinpoint any issues on its e-commerce website.
However, the problem persisted as law enforcement contacted them a few months later regarding payment card compromises that appeared to have originated from pulsetv.com.
The company responded with a new round of investigations, this time engaging the services of a third-party specialist.
On November 18, 2021, the investigators “learned that the website had been identified as a common point of purchase for a number of unauthorized credit card transactions for MasterCard.”
“Based upon communications with the card brands, it is believed that only customers who purchased products on the website with a credit card between November 1, 2019 and August 31, 2021 may have been affected” – PulseTV
The information that may have been compromised includes the following:
- Full name
- Shipping address
- Email address
- Payment card number
- Payment card expiration date
- Payment card security code (CVV)
The above information is everything required for card-not-present transactions that are used for shopping online.
PulseTV customers that made purchases from the site during the specified breach period are recommended to keep a vigilant eye on their bank statements for unauthorized transactions.
The platform also announced that they are migrating to a different payment system, will activate two-factor authentication (2FA) on all their accounts, and will utilize endpoint protection tools for greater network visibility and threat mitigation.
PulseTV claims that their investigations did not reveal a breach on their systems. They were the common point for multiple unauthorized transactions, though.
This makes it unclear if a well-hidden skimmer was planted on the website or the cards were stolen from other merchants and only used on PulseTV for shopping.
Sometimes, stolen payment cards are used to buy goods that are delivered to package mules and then sold to obtain cash.
We have reached out to the platform for more details on the type of the unauthorized transactions that took place on their e-shop, but we haven’t received a response yet.
Source: https://www.bleepingcomputer.com/news/security/pulsetv-discloses-potential-compromise-of-200-000-credit-cards/