Yesterday, NIS America sent out a notice informing users that their online storefronts were compromised in a data breach. This includes the core NISA Online store, as well as the SNK Online Store.
Hello everyone, you may have received an email regarding a data breach of the NISA Online Store. This is a valid and legitimate email. Please stand by as we work on resolving the issue. Thank you for your patience and understanding!
— NIS America, Inc. (@NISAmerica) March 1, 2018
According to NIS America, the breach exposed customer payment and address information for users who made purchases between January 23 and February 26, as well as February 28. NIS America sent initial notices to customers who made purchases in this date range first and foremost, before sending the general notice.
In the notice, NIS America explained that they became aware of a malicious process, which attached to the company’s checkout pages. The process, which was active as far back as January 23, was being used to skim personal information from customers. Though the process primarily targeted credit card users, buyers who used PayPal also saw values skimmed.
NIS America describes the process as:
After entering their billing, shipping, and payment information, the customer would be temporarily redirected to an offsite web page not owned or operated by NIS America, Inc. This malicious process would record the information provided by the customer during the checkout process, including credit card information, billing address, shipping address, and email address. Afterward, the malicious process would return the customer to the NIS America store page to complete their transaction.
Customers that may have had their information compromised between these dates were sent an email informing them dated February 28th, 2018. If you did not receive an email on this date, it is because our records did not show that you were impacted.
NIS America took their stores offline when they discovered the issue on February 26. After fixing the problem on their end, they returned to normal operations. NIS America noted that a new malicious process was discovered to be running on the afternoon of February 28. The new instance “was reintroduced by using an alternate method early in the morning of February 28th.”
In response to the two breaches, NIS America pledges that “We are continually monitoring our online stores at this time to ensure that no malicious changes are able to be made.”
What’s at Risk
NIS America explained that both PayPal and credit card users were potentially affected, with the following at risk for both:
- Credit Card: Credit Card Details (Number, Expiration Date, CVV Code), Name, Address, Login Details, Email Address
- PayPal: Billing Address, Shipping Address, Email Address
Source: NIS America (Email Communication)