Cybercriminals have succeeded in stealing the payment card information from over 110,000 animal lovers over several months after meddling with Oregon Zoo’s online ticket payment system.
Sensitive information belonging to 117,815 people including their names, payment card numbers, CVV codes, and card expiry dates were stolen after being entered onto the Oregon Zoo’s website by visitors buying tickets online.
The zoo first became aware of suspicious activity on the website’s ticketing systems on June 26, 2024 – and took it offline while it investigated the nature and scope of the problem, building an emergency replacement secure site for online ticket purchases.
According to a data breach notification filed with regulators, the zoo determined on July 22, 2014 that a hacker had managed to steal visitors’ card details between December 20, 2023 and June 26, 2024, after “redirecting online ticket transactions from a third-party vendor.”
The breach notification doesn’t go into much in the way of detail as to how the sensitive payment card information was stolen – but it seems possible that Oregon Zoo fell foul of what is known as a skimming attack.
In a typical data breach, hackers break into company servers, access databases and steal large amounts of information – perhaps including encrypted passwords, email addresses, telephone numbers, and maybe even limited financial details.
What you don’t normally see in a data breach, however, is full payment card information stolen – such as a card’s CVV security code – because the vast majority of companies simply do not store such details.
However, a malicious script planted on a website form which asks purchasers to enter their card details can skim the details before it is passed to a third-party payment processor.
Companies whose customers have been impacted by past skimming attacks include Ticketmaster, British Airways, Vision Direct, Sweaty Betty, SHEIN, the American Cancer Society… and many others.
In the wake of the Oregon Zoo data breach there will be an understandable concern that stolen card details will be sold online to other criminals, and losses incurred by card holders, issuers, and merchants.
Affected zoo visitors are being offered free-of-charge credit monitoring and identity protection services for 12 months, and are being advised to be wary of unsolicited communications and to closely monitor their accounts for suspicious activity.