The Green Bay Packers disclosed on Monday a data breach affecting their official online retail store, packersproshop.com, after discovering malicious code designed to steal customer payment information.
The breach, identified in late October 2024, involved the insertion of a card skimmer script by an unauthorized third party, compromising sensitive data entered during checkout.
The compromised information includes names, billing and shipping addresses, email addresses, credit card types, numbers, expiration dates and CVV codes. Transactions made between September 23-24 and October 3-23 2024, were potentially impacted. However, payments made using gift cards, PayPal, Amazon Pay or Pro Shop website accounts were reportedly unaffected.
Response and Security Measures
Upon discovering the breach on October 23, the Packers said they disabled all payment and checkout functions, and initiated a forensic investigation with the assistance of cybersecurity experts. The team also required their web hosting vendor to remove the malicious code, update passwords and confirm the site was secured against further vulnerabilities.
The breach was initially identified by Sansec, a Dutch e-commerce security firm, which reported that the attackers used a JSONP callback method combined with YouTube’s oEmbed features to bypass the website’s content security policy (CSP). This technique enabled the unauthorized exfiltration of sensitive customer data to an external server.
To support affected customers, the Packers are offering three years of credit monitoring and identity theft restoration services through Experian. The team advises those who made purchases during the affected period to review their credit card statements for any signs of fraudulent activity and report suspicious transactions to their banks and relevant authorities.
“The breach serves as a compelling case for the need for constant vigilance, regular security audits and the implementation of robust security frameworks that can adapt to evolving threats,” commented Javvad Malik, lead security awareness advocate at KnowBe4.
“Especially for e-commerce platforms, where customer trust is paramount, the investment in security is not just a regulatory requirement but a fundamental business need.”
This incident is part of a broader pattern of cyber-attacks targeting the NFL, following similar breaches affecting multiple teams in 2023.