GameStop is now individually notifying customers that a recent security breach may have compromised their personal and payment card information, nearly two months after publicly acknowledging the breach. In postal letters sent to affected customers last week, GameStop confirmed that an undisclosed number of online customers may have had their payment card details stolen in a breach that occurred between 10 August 2016 and 9 February 2017.
Hackers were able to gain access to customers' names, addresses, payment card numbers, expiration dates as well as the three-digit card verification values (CVV2) usually found on the back of payment cards.
In April, GameStop said it was notified by a third party that the payment card details of customers of some of its GameStop.com customers were being offered up for sale on a website. Security blog KrebsOnSecurity first reported the possible breach.
GameStop said it launched an investigation into the suspected breach following the report and hired a "leading cybersecurity firm" to assist them. It later mailed notification letters to customers who made or attempted to make purchases through its website during the time frame of the attack.
"Although the investigation did not identify evidence of unauthorized access to payment card data, we determined on April 18, 2017 that the potential for what to have occurred existed for certain transactions," GameStop CEO J. Paul Raines, wrote in a letter dated June 2 sent to impacted customers.
"We take the security of our customer's personal information very seriously. Once we learned of this incident, we took immediate action including initiating an internal review, engaging independent forensic experts to assist us in the investigation and remediation of our systems and alerting law enforcement. To help prevent this type of incident from happening again, we are continuing to take steps to strengthen the security of our network."
GameStop has not revealed how many people were impacted by the breach or how the data was stolen. However, the number of customers affected could be significant given that the attack reportedly occurred during the busy holiday sales season.
Online merchants are also not supposed to store CVV2 codes on their e-commerce sites.
Many irked customers took to social media to question why the retailer took so long to notify them about the breach and chose to do so via snail mail.
GameStop has about 7,500 retail stores across the globe and recently announced plans to close over 150 "non-productive" stores following poor fourth-quarter sales. The retailer also continues to face fierce competition with other major firms including Amazon, Walmart and BestBuy as customers shift towards online shopping while the gaming industry pivots towards digital games and downloads.