Fraudulent Credit Card Charges? Your Band Merchandise Purchase May Have Been Hacked.

NOTICE: If you reside in California, made an online purchase on a Warner Music Group e-commerce website between April 25, 2020, and August 5, 2020 and received a NOTICE OF DATA BREACH, contact the Arnold Law Firm at (916) 777-7777.

 “Just had an e-mail this morning from Warner Music Group saying security had been breached and account details had been acquired,” user u/Way2Competitive posted on Reddit on August 24, 2020.

“If anyone else has bought Dance Gavin Dance merch through their website, might be worth a check to make sure everything looks ok!”

man-holding-card-on-phoneThe user went on to share the Data Breach Notice that Warner Music Group (WMG) submitted with the State of California Department of Justice Attorney General.

On August 5, 2020, WMG discovered that an unauthorized third party compromised a number of e-commerce websites operated by WMG that are hosted and supported by an external service provider. The security incident allowed the third-party access to customer personal information entered into the affected websites during transactions between April 25, 2020 and August 5, 2020.

Was Your Card Compromised?

If you made a purchase from a music band website between April 25, 2020, and August 5, 2020, it’s worth looking into.

Let’s look at the example above. u/Way2Competitive purchased merchandise from the Dance Gavin Dance band website during the data breach time window.

Dance Gavin Dance is an American post-hardcore rock band from Sacramento, California. The band is currently with Rise Records, an independent record label that focuses on heavy metal and punk rock music artists.

Rise Records is not a WMG label, so how was u/Way2Competitive’s transaction compromised?

Rise Records has a distribution deal with Alternative Distribution Alliance, a distributor owned by WMG. WMG artist services business works with WMG artists, as well as artists not signed to their recording labels to support both commerce and marketing aspects of artists’ businesses.

Because the Dance Gavin Dance website and its shopping cart is managed through WMG, the band website transactions were exposed to the Magecart attack, which skims payment card details, including card numbers, VCV/CVVs, and expiration dates.

How Can You Check?

Unfortunately, WMG has not disclosed a list of affected e-commerce websites, which makes it nearly impossible for shoppers to tell if they are at risk for identity theft and fraud. In fact, consumers may not even realize that they made a purchase from a WMG website, because it can be difficult to determine whether a music-related website is associated with WMG.

If you made any recording artist-related purchase online from April to August, we suggest that you search your email folders for “notice of data breach" from WMG. These notices are commonly screened by spam filters and may not reach your inbox.

Notices may also be sent via USPS delivery. WMG appears to still be in the process of notifying consumers who were affected by the security incident.

WMG is directing questions about the security incident to 1-866-951-4190 or data.protection@warnermusic.com.

How Big Was the WMG Data Breach?

At this time, it is unknown how many consumers were affected by the WMG data breach. However, the music giant is associated with an estimated 65,000 songwriters, including Ed Sheeran, Lizzo, and Led Zepplin.

Three months of consumer transactions involving thousands of recording artist websites may have been compromised, which could potentially translate into credit card information stolen from millions of shoppers.

On social media forums, disgruntled consumers have mentioned fraudulent credit card activity believed to be associated with various band website purchases, including:

  • Smashing Pumpkins
  • Greatful Dead
  • Gojira
  • Cold Play
  • Oliver Tree
  • Dance Gavin Dance
  • Kehlani
  • Li’l Uzi
  • Neil Young
  • Gorillaz

I Got a WMG Data Breach Notice, Now What?

WMG is offering 12 months of identity monitoring services to affected customers at no cost. The company is also encouraging customers to monitor any unauthorized use of payment cards and suspicious email communications, particularly those purporting to come from WMG or any WMG-related websites.

You may also want to investigate whether possible legal action applies to your situation, especially if you live in California.

The California Consumer Privacy Act (CCPA) applies to companies that do business in California and collect personal information from California residents. The CCPA went into effect on January 1, 2020 and is considered to be one of the broadest state-level privacy laws in U.S. history. Among the rights the CCPA endows is the consumer’s right to bring an action for statutory damages if a data breach meets certain requirements.

If you reside in California, made an online purchase on a WMG e-commerce website between April 25, 2020 and August 5, 2020, and received a NOTICE OF DATA BREACH, contact the Arnold Law Firm at (916) 777-7777 to discuss your situation and possible developing legal options.