Oregon Zoo has warned that 117,815 customers may have had their payment card information compromised by cybercriminals.
In a notice to customers dated August 16, the company revealed that an unauthorized actor redirected customers’ transactions from a third-party vendor who processed online ticket purchases.
This potentially allowed the attackers to obtain payment card information used in transactions on the site from December 20, 2023, to June 26, 2024.
Read now: American Express Warns Credit Card Data Exposed in Third-Party Breach
The customer payment information potentially breached includes names, payment card numbers, CVV and expiration dates.
No Social Security numbers were affected by the attack.
Oregon Zoo first became aware of suspicious activity on its online ticketing service on June 26, leading to the site being decommissioned and an investigation launched.
Federal law enforcement has been informed about the incident and written notices have been provided to relevant state regulators.
Zoo Customers at High Risk of Fraud
Oregon Zoo urged potentially impacted customers to continually review their account statements and monitor free credit reports to identify potential incidents of identity theft and fraud.
Any suspicious charges should be reported to the bank that issued their payment card, and contact the Federal Trade Commission, their state Attorney General, and law enforcement to report attempted or actual identity theft and fraud.
The Zoo is offering these customers free access to credit monitoring services for one year.
Read now: New PCI SSC Head Outlines Evolving Payment Security Amid Standards Upgrade
Commenting on the story, Ray Kelly, Fellow at the Synopsys Software Integrity Group, said it is “alarming” that redirected payments went unnoticed for six months before the breach was detected.
“If your website accepts payments or collects any form of user data, simply put, you are a potential target. Maintaining a strong and proactive cybersecurity posture is crucial for any business to combat these threats and protect their users," Kelly noted.
Oregon Zoo added that it is reviewing its existing security policies and procedures to reduce the likelihood of similar events in the future. The organization has also decommissioned the previous online ticketing website and rebuilt a new secure site for online ticket purchases.
Image credit: ARTYOORAN / Shutterstock.com