Update 6/17/19: Giftcardmall has confirmed a data breach has occurred. If you used the site between April 24th and May 21st, 2019 then your information is likely to have been accessed. Full letter sent out below.
They are also stating that there is no evidence your personal information was actually accessed, but lots of readers originally reported fraudulent transactions on their credit cards so I’m not sure how that’s remotely accurate. I’ve said it before but I’ll say it again, until the penalties for data breaches increase they will continue to occur at an alarming rate. Hat tip to lobonomnom
[Reposting on 5/28/19 as an additional reminder since it appears that many/most cards used on Giftcardmall are affected; tons of people reporting unauthorized charges. Keep a sharp eye on your cards, or even just ask the bank to replace your card.]
A number of users on reddit are reporting that cards that were only used to make purchases at giftcardmall have had fraudulent purchases made at other stores. Reddit user lobonomnom also reports that Norton detected a formjacker on the checkout page, but I was unable to replicate that result. Has anybody else noticed something similar?
had an order with them on 4.20…
They closed the breach on May 21 and didn’t notify anyone until now? Shmucks. (Good thing Reddit and DoC pointed out the breach to them)
The first step is to close the known holes, start auditing for other unexpected changes, and also to look and see what data was accessed, what other impacts there were. If they inserted a form jacker, but also, for example, intercepted database communications, they need to figure that out before sending out the notifications so they can be more confident when they say what data was accessed.
Just got my notice in the mail today trying to buy a Shaw’s card (Massachusetts) and it transferred me to GCM. I was never given the online card and it said there was a problem and the money would be refunded. I need to contact Shaw’s (Kroger) and tell them not to use GCM to sell online gift cards.
Went to my bank and they immediately verified that no money was stolen, canceled my old card and have a new one being sent to me. Will NEVER use GCM or make any gift card purchase that requires a third party. Lesson learned.
This may be a naive question. The Simon mall online URL seem to use giftcardmall.com also. Do people think those would be affected also?
Of course, certainly not very reassuring, and I never just hang onto these cards and would encourage spending/liquidating ASAP.
I change the PIN on every non-vanilla VGC I buy elsewhere through the GCM website. I didn’t have any issues during the period of the breach, but I also try and liquidate them within a day or two, and never hold for more than a week. I agree though, I don’t think it affected that at all, only users who purchased gift cards through the GCM website.
I haven’t seen any update on this. I need a few Visa gift cards and — if not for this fraud — it would be easier for me to buy them online. Logic would say GCM would fix the problem fast, but we know that hasn’t always been the case with gift card fraud. Any idea what’s going on?
And how has this story stayed out of the media?
But this wasn’t gift card fraud per se – it was a data breach that could happen on any online shopping site.
IMO, risk of actual gift card fraud is much higher in B&M locations. To be safer, use virtual CC #s online when possible.
No, data breaches cannot and will not happen on, “any online shopping site.” Data breaches happen on sites that are derelict of their duty to implement sufficient security measures.
But, it’s true that using unique card numbers is far more secure, since closing that number after the purchase significantly limits any potential damages from ever occurring.
All banks should be required by law to offer unique account numbers for every transaction; numbers that can only be used once. Our system is already fully capable of this token adjustment.
anyone know if there has been a response from GCM about this?
GCM is requiring a password change upon login, which is probably a response to the breach. Email went out a couple days ago.
Of course it’s common sense to change your password after a data breach anyway! But this indicates GCM is at least aware. I doubt they are going to advertise the breach in public so that’s probably all we’ll hear from GCM.
Symantec is no longer flagging the formjacker as of a few days ago, so that’s a good indication something has changed.
We need to watch for DPs of CCs used on GCM for the first time, AFTER LATE MAY, being compromised. I have yet to see any. Of course absence of evidence is not proof.
So basically an ongoing data breach.
Sonofagun… I had to come back to this and verify the site.
I pulled the trigger on about 10 of those Staples Lowes cards, when I printed them out it says the sale was powered by GiftCardMall..
I surely hope the fraud is limited to GCM’s front end, and not its back end.. Or that Staples protects its purchasers in some way.
So far no fraud on my one “saved” CC with GCM. It’s safer to use virtual numbers — if they work. Also: text alerts for online purchases.
I’m guessing others are also finding this story surprising. Other than the risk of cards lost/stolen in the mail, I always thought it was safer to buy gift cards online (so as to avoid tampering risk). So much for that!
Fortunately, I haven’t bought any cards recently from GCM, but I did buy a card from giftcards.com. Aren’t all of these companies owned by the same enterprise, Blackhawk? If so, it doesn’t give me a lot of confidence that any of them are safe to deal with at the moment. This is unfortunate, because many of us have found that it’s easier/cheaper to buy gift cards online than in stores. I guess now we have to go back to the stores, at least for awhile.