Seattle-based casual gaming company Big Fish Software notified customers last week that its billing and online payment systems were infected with malware, according to SC Magazine.
According to a letter dated Feb. 11 and sent by Big Fish to affected customers, the company discovered on Jan. 12 that an unknown criminal had installed malware on the billing and payment section of the company’s website, and it appeared to have intercepted customer payment information. The customers affected were those who entered new payment details between Dec. 24, 2014, and Jan. 8, 2015.
Breached information included names, addresses, payment card numbers, expiration dates, card verification codes and potentially other information.
“We have taken the necessary steps to remove the malware and prevent it from being reinstalled. We have reported the incident to and are cooperating with law enforcement. We have also informed the credit reporting agencies and payment card networks about this incident so that they may take appropriate action regarding your card account,” the letter said.
The letter also offered affected customers a free year of credit monitoring from Experian and standard post-breach advice, along with contact numbers for the three major credit-reporting agencies.
In a separate statement to local television station KIRO, the company said it was “the victim of a criminal cybersecurity intrusion of our website” and said it hired “a leading data security forensics firm” to investigate the breach and improve security.
The company also said that the incident affected only “a small percentage of our total customers,” although for a major online gaming company that potentially exposed payment details for all new customers during the two weeks after Christmas, that could still be a significant number of individual victims.
Big Fish was acquired by Churchill Downs Inc. for $885 million on Dec. 16, barely a week before the breach reportedly began, which may help explain why the company has been relatively tight-lipped about many details of the breach, including the number of customers affected and even the name of the outside security company doing the investigation. Along with its namesake racetrack, Churchill Downs runs a large online horse-race betting business and also operates video poker and slot machines at some racetracks. That may put the Big Fish breach in the more tightly regulated arena of gambling companies, where security violations are more common and information about them is more closely controlled.
But that also points up a challenge inherent in the White House’s current effort to standardize breach notifications with a federal law. As breaches continue to spread beyond the traditional target of retailers to banks, gaming companies and other highly regulated businesses, the hardest questions may involve exactly what details should go into breach notifications, and what to do when breach-law requirements conflict with longstanding regulatory practices and rules.