Close up of girl paying music services with credit card showing Magecart attack on ecommerce site

Hackers Accessed Personal and Credit Card Information in Warner Music Group Magecart Attack

Warner Music Group (WMG) suffered a three-month long Magecart attack that leaked its customers’ personal and financial information, a recent legal filing in California revealed. The attack, which targeted US-based e-commerce services hosted by third parties, occurred between 25 April and 5 August. Although the company acknowledged the incident, it did not reveal the number of customers affected by the breach.

Warner Music Group Magecart attack incident filing in California

Warner Music Group filed a data breach incident notice with the California Attorney General acknowledging the Magecart attack. The international music recording company said that hackers accessed customers’ details from its various e-commerce websites hosted and supported by an external service provider. The filing disclosed that hackers exfiltrated the information from the customers’ checkout pages.

Additionally, WMG released a statement saying that an unauthorized third party accessed “any personal information you entered” on the checkout pages of the affected websites.

Data exposed in the Warner Music Magecart attack

WMG said that the information exfiltrated by the attackers included the customer’s name, email address, telephone number, billing address, shipping address, and payment card details (card number, CVC/CVV, and expiration date). However, the company said that the MageCart attack did not affect transactions completed through PayPal.

The company didn’t confirm whether personally identifiable information (PII) was leaked during the Magecart attack, but said that those details were possibly accessed during the transaction session. WMG, however, confirmed that the information accessed could allow fraudsters to complete fraudulent transactions.

The breach posed a significant risk to WMG customers. Having both personal and financial information of the customers can allow hackers to conduct fraudulent purchases as well as carry out phishing attacks to harvest more information from the victims.

Ameet Naik, a Security Evangelist at PerimeterX, says that cyber criminals receive huge payouts from e-commerce digital skimming. Such payouts make e-commerce sites lucrative targets for hackers across the world.

“Digital skimming and Magecart attacks continue to be a lucrative source of revenue for hackers as they continue to seek large targets for maximum payouts. For example, data stolen from an attack on another e-commerce platform in 2019 was valued at $133M on the dark web.”

He adds that third-party e-commerce scripts are a blind spot for website operators. Cybercriminals use the shadow code to conduct client-side digital skimming, which leads to information leakage and compliance penalties on the website operators. Naik also notes that only 8% of e-commerce website owners have insights into the shadow code used on their websites.

“Businesses must take control of Shadow Code in their web and mobile applications by following basic security best practices and by leveraging runtime behavioral analysis to detect and stop hidden code from compromising their user data,” Naik continues. “Consumers must also continue to be vigilant about their personal data and monitor their credit reports for signs of fraudulent activity.”

Warner Music Group fraud mitigation efforts

The company said it had launched a forensic investigation with cybersecurity experts and law enforcement agents to address the issue. It also notified the relevant credit card providers to impose additional security measures on transactions involving credit card affected the MageCart attack.

Additionally, the third-largest music recording studios offered 12 months Kroll identity monitoring free of charge to individuals affected by the Magecart attack.

However, the music recording label failed to provide the list of websites affected by the Magecart attack, or the number of customers affected by the breach. Similarly, WMG did disclose the external service provider affected or whether it had contacted the affected customers. Many affected individuals could be unaware that their payment information was exposed.