GameStop Looks to Level Up Its Site's Cybersecurity

It could be game over for GameStop shoppers.

The video game store GameStop has confirmed that it is investigating a potential data breach that may have occurred on its website between September 2016 and February 2017. The compromised data may include credit card numbers, verification codes, and expiration dates, as well as names and addresses.

In an email to Fortune, a GameStop spokesperson issued the following statement: “GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website. That day a leading security firm was engaged to investigate these claims.”

GameStop also expressed regret for any concern the incident may have spurred, and reminded customers to monitor their credit cards for suspicious charges.

This alleged incident is just the latest attack to take place in the increasingly rocky cybersecurity landscape. If you or a loved one suffered financial losses that you believe were caused by a data breach, please contact us today for a free, no-obligation legal consultation.

1.4 Billion Records Breached in 2016

The potential GameStop breach is one of many high-profile incidents involving companies like Arby’s, Saks Fifth Avenue, Neiman Marcus, and of course Yahoo. These breaches finally prompted the state of New Mexico to enact cybersecurity legislation, leaving just two states—Alabama and South Dakota—without these types of laws on the books.

Even two states holding out is surprising given the ever-growing prevalence and threat of data breaches. Cybersecurity company Gemalto recently found that worldwide there were 1,792 breaches in 2016—an 86% increase from 2015. Roughly sixty percent of those breaches (1,100) occurred in the U.S.

The 1,792 global breaches compromised 1.4 billion records. Here are a few of Geralto’s other disturbing findings:

• Identity theft was the most common type of breach, comprising nearly 60% of incidents.
• Malicious outsiders—which only accounted for 13% of breaches in 2015—accounted for 68% of breaches in 2016.
• Fewer than half (48%) of breached organizations reported the full extent of the breaches when they first announced them.

These figures paint a frightening picture: more and more, data breaches are carried out by someone with malicious intent, i.e., identity theft. And all too often, companies not only fail to protect their customers, but they don’t even disclose all (or any) of the details upon learning of the breach.

Gemalto Regional Director Graeme Pyper said, “Hackers are casting a wider net and are using easily attainable account and identity information as a starting point for high-value targets. Clearly, fraudsters are also shifting from attacks targeted at financial organizations to infiltrating large databases such as entertainment and social media sites.” 

Anthem Scares Off Data Breach Plaintiffs

Anthem, Inc. suffered a 2015 data breach that impacted as many as 78.8 million people. The compromised data allegedly included social security numbers, addresses, birthdates, income data, and medical IDs. Experts presume that the data has been sold or will be sold on the black market (which is common after a massive breach).

Anthem’s strategy in battling these lawsuits has been coldly effective.

Naturally, this breach resulted in several class action lawsuits filed by affected consumers. Anthem’s two-pronged strategy in battling these lawsuits has been brilliant and coldly effective.

First, Anthem has released as few details about the breach as possible, which could help the company preserve its innocence in court. Unlike Yahoo, for example, which acknowledged that it took more than a year for the company to announce its massive breaches—a blatant violation of California state law (among others).

Second, Anthem has demanded that plaintiffs turn over their personal computers, ostensibly to prove that any alleged breach did not occur prior to the Anthem incident. As a result of this request, many plaintiffs have dropped their lawsuits. (Many people feel squeamish about turning over their browser histories and other computer habits to a stranger, let alone an attorney.) So even if Anthem loses or settles these cases, the payout will be smaller than it would have been prior to this request.

Until these cases go to trial, we won’t know how many plaintiffs (if any) actually suffered breaches that were unrelated to the Anthem incident—or if Anthem can effectively make the case that these breaches were consumers’ faults, not the company’s.

But if this continues to be an effective strategy, one can expect more and more companies—including, potentially, GameStop—to adopt it in the future.