The Green Bay Packers Pro Shop’s online store suffered a data breach between September and October 2024. Cybercriminals stole the credit card information of over 8,500 customers by injecting malicious code into the store’s checkout page. The Packers disabled all checkout and payment capabilities on the packersproshop.com website immediately after being notified of the breach on October 23.
They required the vendor hosting and managing the site to remove the malicious code, refresh passwords, and confirm no vulnerabilities remained. A forensic investigation revealed that the malicious code may have allowed unauthorized access to customer information entered at checkout using certain payment options between September 23-24 and October 3-23, 2024. The breach did not affect payments made with gift cards, Pro Shop website accounts, PayPal, or Amazon Pay.
Compromised information included names, billing and shipping addresses, email addresses, credit card types and numbers, expiration dates, and CVV numbers.
Data breach impacts Packers Pro Shop
The Packers are offering affected individuals three years of identity theft restoration and credit monitoring services through Experian.
“The incident was limited to the single e-commerce website and did not affect any other Packers information technology or data. We are working closely with our vendors and third-party experts to ensure our sites are as secure as possible for our fans,” the Packers stated. The team is working with vendors to strengthen security controls and prevent future incidents.
They sent notification letters to all potentially affected individuals, providing additional information and the complimentary credit monitoring and identity theft protection. Dutch e-commerce security company Sansec identified the breach in early October, finding that the card-skimming attack used YouTube’s oEmbed feature and a JSONP callback to bypass the Content Security Policy. The injected script harvested data from input fields on the site, exfiltrating the captured information to an external domain.
The Packers advise affected individuals to monitor their account statements for fraudulent activity and report any identity theft or fraud attempts to their bank and appropriate authorities, including the Federal Trade Commission and state attorney general.
