Security Experts:

Payment Card Data Compromised in Big Fish Games Breach

A piece of malware installed on the systems of Seattle-based casual gaming company Big Fish Games has been used to steal customer payment information.

According to Big Fish Games, the company discovered the breach on January 12. The malware was installed on the billing and payment pages of the company’s website and it appears to have intercepted customer data such as names, addresses, payment card numbers, expiration dates, and CVV2 codes. The attackers have not been identified.Big Fish Games hacked

In a letter sent out to affected individuals, a copy of which was published last week on the website of the California Attorney General, Big Fish Games noted that only customers who had entered new payment information on the company’s website between December 24, 2014 and January 8, 2015 may be affected. Those who used payment information from a previously saved profile don’t appear to be impacted.

Big Fish told SecurityWeek that there is no indication that this issue had any impact on customers who purchased games for iOS and Android devices, or through Facebook.

“We have taken the necessary steps to remove the malware and prevent it from being reinstalled. We have reported the incident to and are cooperating with law enforcement. We have also informed the credit reporting agencies and payment card networks about this incident so that they make take appropriate action regarding your card account,” Ian Hurlock-Jones, the CTO of Big Fish Games, wrote in the letter sent to affected customers.

The gaming company is offering impacted individuals a complimentary one-year membership to Experian’s ProtectMyID Alert service. Users can activate the service by May 31, 2015.

It’s uncertain how many of Big Fish Games’ customers are impacted by the breach, but the company told SecurityWeek that the incident “resulted in the interception and diversion of payment information of a small percentage of our total customers.”

“Upon learning of the potential security incident, we immediately took steps to remove the malware responsible for the issue. We hired a leading data security forensics firm to assist in our investigation of the incident to fully understand the event and to help us better assure data security going forward,” said a Big Fish spokesperson.

Founded in 2002, Big Fish claims to be the world’s largest producer and distributor of casual games. The company says it has distributed more than 2.5 billion games to customers in 150 countries.

Several major companies reported suffering payment card data breaches in the past year. The list includes Home Depot (56 million cards compromised), TripAdvisor’s Viator (1.4 million cards compromised), Goodwill, HSBC Turkey, and P.F. Chang’s.

*Updated with statement from Big Fish Games

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.