Pierluigi Paganini January 01, 2022

U.S. online store PulseTV disclosed a potential credit card data breach, more than 200,000 customers have been impacted.

U.S. online store PulseTV has disclosed a credit card data breach that has impacted more than 200,000 customers.

According to the notification letter published by the Office of the Maine Attorney General, VISA informed the company on March 8, 2021, that its website (www.pulsetv.com) was a common point of purchase for some
unauthorized credit card transactions due to a possible compromise.

The company performed some security checks on its website but did not find any indication of compromise.

In July, the company was alerted again by VISA was in July, but only a few months later law enforcement informed it about additional payment card compromises that appeared to have originated from its website. The company started working a legal counsel that hired cybersecurity experts to assist with the investigation,
2021.

On November 18, 2021, the investigators become aware that the website had been identified as a common point of purchase for a number of unauthorized credit card transactions for MasterCard.

“On November 18, 2021, our investigator learned that the website had been identified as a common point of purchase for a number of unauthorized credit card transactions for MasterCard. Based upon communications with the card brands, it is believed that only customers who purchased products on the website with a credit card between November 1, 2019 and August 31, 2021 may have been affected. The investigation was unable to verify that the website was the cause of the unauthorized transactions.” reads the data breach notification letter. “However, in an abundance of caution, PulseTV is notifying customers, including you, who purchased products on our website during that time period so that they can take steps to protect and secure their credit card information.”

PulseTV believes that only customers who purchased products on the website with a credit card between November 1, 2019 and August 31, 2021 were impacted.

The information that may have been compromised includes:

• Full name
• Shipping address
• Email address
• Payment card number
• Payment card expiration date
• Payment card security code (CVV)

Customers are potentially exposed to a broad range of frauds, including fraudulent card-not-present transactions.

The company will take the following measures to prevent similar incidents in the future:

• Adding two-factor authentication requirements for all internal devices;
• Utilizing end-point detection and response tools to provide greater network visibility and threat mitigation;
• Migrating to a different payment system.

The company is still investigating the security breach with the payment card networks and law enforcement, and is notifying state regulators and impacted customers

At this time the company has yet to determine if it was the victim of a Magecart attack or the stolen card were only used on PulseTV for cash-out.

“We recommend that you remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports for any unauthorized activity. Information on additional ways to protect your information, including how to obtain a free credit report and a free security freeze, can be found at the end of this letter.” concludes the letter. “You should report any incidents of suspected identity theft to your local law enforcement and state Attorney General. If you believe your payment card information may have been compromised, we strongly encourage you to contact your payment card company and/or financial institution and request that the card be cancelled.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, PulseTV)

[adrotate banner=”5″]

[adrotate banner=”13″]