Topps Company, the owners of the Top Trumps brand and makers of collectible cards for both adults and children, has admitted to a serious data breach. In an email sent to customers the company told them: “personal data collected through the Topps website, http://www.topps.com/, may have been compromised.”
The email, which was sent out a few days ago, says that the company became aware of a data breach on October 12. It discovered that hackers were actively capturing data between July 30 and October 12. Hackers are believed to have access to data including names, address, e-mail addresses and phone numbers. Customers who purchased online using PayPal are not believed to be affected.
Compounding the problem is the admission that card data was also stolen. Topps has admitted hackers had access to credit and debit card numbers, card expiration data and security codes. None of the credit/debit cards or other personal data appears to have been encrypted. Encryption is a basic act that all merchants taking card details are supposed to do. The PCI Security Standards Council makes it clear that: “The public assumes merchants and financial institutions will protect data on payment cards to thwart theft and prevent unauthorized.”
Topps is offering customers one year of CSID Protector services free of charge. According to the email this includes: “CyberAgent Internet Surveillance, Identity Theft Insurance and Identity Restoration coverage.” Interestingly, the email sent to customers seems to be US focused rather than cover other countries. We were unable to get acknowledgement from Topps that CSID cover would apply to customers who do not live in the USA. It is likely that Topps will cover non-US customers as CSID is part of Experian and has global coverage.
Not the first Topps breach
In its coverage of the story, website Engadget links to a June article highlighting security issues at Topps. The article was written by Chris Vickery and is on the MacKeeper Security Research Center website. Entitled Foul Ball, Vickery recounts how in December 2015 he found three publicly accessible databases linked to Topps. He says that the databases were secured three days after he noticed them and before he contacted Topps.
In June 2016 Vickery noticed another database was publicly accessible. Despite sending three different emails to the company Vickery got no response. The timescale of the now admitted leak and the publicly accessible database noticed by Vickery coincides. While there is no evidence yet that this is the cause of the data breach it does raise questions. Among those are why did nobody respond to Vickery? If this is a repeat of the December 2015 breach how did it happen again? Was the site actually hacked or did hackers just pull down data Topps made public?
Is Topps the victim of a third-party supplier?
This repeat of a known issue suggests that the security and data handling policies of Topps need urgent reviewing. It could be that the problem is not an internal issue but caused by a supplier. In November 2016 recruitment company Michael Page suffered a data breach. That was blamed on the actions of their IT supplier Capgemini. In that instance the data came from a development server that was being backed up to public cloud servers.
It could yet turn out to be that the issues at Topps are not of their own making. Unless Topps publishes the details of what happened an how it relates to the issues called out by Vickery, we will never know.
It will be interesting to see what action is taken by card providers and regulators as a result of this breach. There is increasing pressure on the payment industry to act against merchants who fail to protect card details. However, the industry has been loathe to act against merchants who lose card data. It is seen as being bad for business rather than good for customers. For a business selling collectibles any suspension of payment processing would have a significant impact on its revenue stream.
Data regulators are also likely to be looking closely at this case. The failure to encrypt data is likely to see Topps fined by regulators who may also impose other penalties. The damage to its customers and its business could be far more serious. Buyers using the Topps website are presented with what appears to be a secure payment service. Customers will now have to decide if they can trust that security claim in future.