Whilst the four-time Superbowl Champions, The Green Bay Packers, have rightly been drawing praise this season for their on-field defensive performances, the Organization’s online defense has been called into question following the disclosure of a significant data breach affecting thousands of their loyal supporters.
Contrasting Fortunes
The last week of 2024 saw the storied franchise triumph 34-0 against the New Orleans Saints to record the first defensive shutout of the current NFL season. In his post-match comments, Packers head coach Matt LaFleur gushed, “Obviously, it’s hard to shutout an opponent in this league. From what I was told, it was the first one this season. So, I was really proud of our defense.”
Fast-forward to the start of 2025, however, and pride in defense is certainly not a sentiment resonating with Packer Nation right now. In a letter to supporters, Chrysta Jorgensen, Director of Retail Operations, had the unenviable task of informing them that a threat actor had hacked its official online retail store and injected a card skimmer script to steal customers’ personal and payment information.
What’s the Score?
The letter alerted customers that between September 23-24, 2024, and October 3-23, 2024, their sensitive data was potentially compromised during the checkout stage when completing purchases on their Packers Pro Shop. This data may include name, address (billing and shipping), email address, credit card type, credit card number, credit card expiration date, and credit card verification number. It was stated, however, that transactions made during this time using a gift card, Pro Shop website account, Paypal, or Amazon Pay were not affected by this malicious code.
Following the discovery, the organization’s IT team took steps to resolve the issue. They started by disabling all payment and checkout functions and investigating alongside external cybersecurity experts to assess any potential impact on customer information. They also instructed the site’s hosting vendor to remove the malicious code, update passwords, and ensure no vulnerabilities remained.
As a gesture of goodwill, Green Bay is offering subsidized access to credit monitoring and identity theft restoration services.
You’re in the Game
Green Bay has advised individuals of the steps they can take if they have been affected, are unsure if they’ve been affected, or are just looking to implement good practices in managing their financial affairs. These include reviewing bank statements, monitoring free credit reports, and promptly reporting any suspicious activity to the relevant financial institution holding your accounts, as well as any appropriate authorities, such as your state attorney general and the Federal Trade Commission (“FTC”). Individuals have also been reminded that they have the right to obtain a police report in the event one has been created for this incident.
Expert Analysis
Cybersecurity experts from Black Duck have been giving their reaction to the breach disclosure. Cybersecurity practice lead John Waller asserts that the hack “underscores the growing threat of e-commerce skimming attacks, where malicious scripts are injected into vulnerable websites to steal sensitive customer data during checkout, often remaining undetected for extended periods as this hack was.” He goes on to point out that organizations implementing The Payment Card Industry Data Security Standard (PCI-DSS) 4.0 (which is set to become mandatory on March 31, 2025) can “significantly reduce the risk of breaches while ensuring compliance with evolving security standards.”
Ray Kelly, fellow at Black Duck, adds that “Card skimmer scripts have been a serious threat to online marketplaces for many years.” He cites the Magecart attacks as another example, along with this case, of why it is so essential to secure the supply chain, as “even a single weak link can have catastrophic consequences for businesses and their customers.”
Huddle Up
This author isn’t the first and certainly won’t be the last to equate American football and cybersecurity defensive strategies to you in print – but in relation to this story, it’s timely, relevant, and I’ll be succinct. The best methods for both disciplines entail blocking threats to protect key targets by prioritizing clear communication, continuous monitoring, and adaptability.
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.