DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

ICG America notifies customers of its companies of payment system compromise (update 2)

Posted on September 25, 2013 by Dissent

ICG America, which operates a family of retail and e-commerce companies that includes Amazing Clubs, Flying Noodle, MonsterBrew, Games2U, TexasIrons, and California Reds, has joined the ranks of those disclosing hacks involving customer data.

In August, ICG America was alerted by a credit card company that their payment processing system appeared to have been attacked. A security firm immediately retained to investigate found evidence of an attack that began on January 2, 2013 and continued until August 2, 2013.

According to a statement by Elena Loyola,  the data were encrypted but,

The attacker installed a program on our network that created the ability to decrypt and capture payment card information from our system.

Because of the nature of the program used by the attacker, the investigation could not determine whether the attacker actually viewed or removed any information from any system.

Customer information that might have been viewed or removed included name, address, e-mail address, credit or debit card account number, expiration date, and card verification value.

No explanation was provided as to how the attackers managed to insert a program on their system, and no mention was made as to whether law enforcement had been notified of the incident.

ICG America did not offer affected consumers any free credit protection services.

You can read a copy of their consumer notification, which is available on the California Attorney General’s site. As of this morning, there is no breach alert on their web site or on the sites of the companies they operate.

Update 1: This breach resulted in notification to 6,105 Maryland residents. The total number nationwide is still unknown.

Update 2: This breach resulted in notification to 1,451 New Hampshire residents, too.

Related posts:

  • Madison Square Garden Company Alerts Customers of Payment Card Data Breach
Category: Breach IncidentsBusiness SectorHackU.S.

Post navigation

← International Data Breach Laws Are All Over The Map
NY: Guards allege privacy breach related to Samaritan Hospital records →

6 thoughts on “ICG America notifies customers of its companies of payment system compromise (update 2)”

  1. hamburgey says:
    September 27, 2013 at 3:01 pm

    Check my CC on a weekly basis and last week noticed 2 fraudulant charges so had the bank cancel and issue another one, then got a letter yesterday from ICG about this. I ordered a beer of the month gift for a friend. Guess this is how it happened. Not sure how or if they passed PCI compliance. Sounds like an inside job to me. Usually PCI compliance would require the port for the DB to be SSL so how did the hacker get into it without a certificate. Also must not have been using high ciphers for someone to be able to decrypt. Won’t order anything again from them

    1. Dissent says:
      September 29, 2013 at 1:57 pm

      Given the rampant number of hacks on e-commerce sites, I tend to doubt this was an inside job, but that’s just my speculation, fwiw.

  2. linda says:
    September 29, 2013 at 1:00 pm

    I also was a victim. I’m furious that this happened in January and I first got the letter from them in September. I also will not be ordering anything from them again.

  3. Floyd says:
    September 30, 2013 at 6:05 pm

    Similar situation here. We ordered the “wine of the month”. Received the “breach” letter last week and an invoice for an order of soccer balls this week. Someone used the data to setup an account in our name. Does anyone know if any class action lawsuits against ICG America have been filed yet? They should be liable for negligence, failure of timely customer notification, failure to reveal the scope of the breach, breach of contract, etc.

    1. Mark says:
      October 17, 2013 at 7:21 pm

      I would love to know as I too had the beer of the month product and the credit card used was comprised a week before they decided to send out acknowledgement of the breach. I would love to bleed these fuckers dry. I’m not sure how sitting on the information and doing nothing for that long cant be considered negligent.

  4. Pissed in SC says:
    October 7, 2013 at 12:28 pm

    I too am a victim. My card was used four times in the three days before I received their letter. They said the malicious code was on their computer from January thru September. Evidentially, when the hacker saw they were discovered and they ran out and started trying to get as much usage as possible. I was able to track one of the purchases back to an 84 year old woman in a nursing home in Tulsa, OK. She too must have been a victim. I don’t know where to check state laws about civil penaties. They said their California company filed the breach, but I thougth they were located in Texas. Alot of states restrict class action suits in these kind of cases to keep the settlements small.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.