Green Bay Packers' online store hacked to steal credit cards

The Green Bay Packers American football team is notifying fans that a threat actor hacked its official online retail store in October and injected a card skimmer script to steal customers' personal and payment information.

The National Football League team says it immediately disabled all checkout and payment capabilities after discovering on October 23 that the packersproshop.com website was breached.

"On October 23, 2024, we were alerted to the presence of malicious code inserted on the Pro Shop website by a third party threat actor," the Packers's Director of Retail Operations Chrysta Jorgensen explains in breach notification letters sent to potentially affected individuals. 

"Immediately upon learning this, we temporarily disabled all payment and checkout capabilities on the Pro Shop website and began an investigation."

The NFL team also hired outside cybersecurity experts to investigate the incident's impact and find if any customer information had been accessed.

The investigation revealed that the malicious code inserted in the checkout page could steal personal and payment information between late September and early October 2024. However, the Packers say the attacker couldn't intercept information from payments made using a gift card, Pro Shop website account, PayPal, or Amazon Pay.

"We also immediately required the vendor that hosts and manages the Pro Shop website to remove the malicious code from the checkout page, refresh its passwords, and confirm there were no remaining vulnerabilities,"

"Based on the results of the forensic investigation, on December 20, 2024 we discovered that the malicious code may have allowed an unauthorized third party to view or acquire certain customer information entered at the checkout that used a limited set of payment options on the Pro Shop website between September 23-24, 2024 and October 3-23, 2024."

Personal and payment data impacted in the breach includes information entered on the Pro Shop website when making a purchase, such as names, addresses (billing and shipping), email addresses, as well as credit card types, numbers, expiration dates, and verification numbers.

The Packers has yet to share the number of customers impacted by this data breach or how the threat actor could hack into its Pro Shop website to inject the card skimmer script.

The NFL team now offers those affected by this breach three years of credit monitoring and identity theft restoration services through Experian and advises them to monitor their account statements for any fraudulent activity.

Those who observe suspected incidents of identity theft or fraud attempts should immediately report them to their bank and relevant authorities, including their state attorney general and the Federal Trade Commission (FTC).

Two years ago, the San Francisco 49ers also notified more than 20,000 individuals that their personal information (including Social Security numbers) was stolen in a February 2022 ransomware attack claimed by the Blackbyte cybercrime gang.