back to article Own goal for Leicester City FC after fan credit card details snatched in merch store hack

Leicester City Football Club has quietly told people who bought stuff from its website that their financial details have been stolen by hackers – and those details include credit card numbers and CVVs. Reg reader Yazza, a Foxes follower, received an email from the British club 'fessing up to the hack attack, which affected its …

  1. Anonymous Coward
    Anonymous Coward

    "It's also a ridiculously bad idea to capture and store CVVs alongside card numbers and expiry dates."

    Its also explicitly forbidden to store CVVs after authorisation under PCI-DSS requirement 3.

    CVVs can never be stored after authorisation of the card while being compliant as I understand it.

    1. FrogsAndChips Silver badge

      If, as suspected, the hackers used Magecart, then all the data has been captured during payment transactions. It doesn't mean that the CVVs were stored by the LCFC website.

  2. Captain Scarlet Silver badge
    Trollface

    I bet the PR Team are horified

    I bet the PR Team are horified, they now have to come up with some other wording.

    "The footie club wasted an opportunity to tell us they are desperately sorry for leaking data and that they take the security of customers' data very seriously"

    1. Captain Scarlet Silver badge
      FAIL

      Re: I bet the PR Team are horified

      I am also horrified by my spelling and grammar!

  3. NerryTutkins

    magento

    Does magento really let you configure it to store card details and CVVs unencrypted? Surely no cart vendor for at least the last 15 years has enabled any feature like that, because if you do, some idiot will actually do it.

    1. Oneman2Many

      Re: magento

      The fact they gave a specific range of dates seems to indicate that it was magecart attack and it would mean the data could have been swiped during transaction due to a compromised web site rather than swiped from their database.

      Still no excuse for having a compromised server for that long.

  4. tiggity Silver badge

    Do not buy much online

    As have my brosers set up with a variety of script blocking addons so third party scripts typically blocked.

    So many online "shops" require a lot of third party script / redirects etc. and so at that point I normally stop my purchase attempt.

    .. Lets face it, VBV, is almost identical to how nasty malware would nab your details & punters are encouraged to accept that as the norm - no wonder theres rich pickings in this area for crims as users trained to have third party crap on payments

    .. Yes I know same origin is no guarantee of safety but at least its removed some attack surfaces

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon