Fraudulent Credit Card Charges? Your Band Merchandise Purchase May Have Been Hacked.

NOTICE: If you reside in California, made an online purchase on a Warner Music Group e-commerce website between April 25, 2020, and August 5, 2020 and received a NOTICE OF DATA BREACH, contact the Arnold Law Firm at (916) 777-7777.

“Just had an e-mail this morning from Warner Music Group saying security had been breached and account details had been acquired,” user u/Way2Competitive posted on Reddit on August 24, 2020.

“If anyone else has bought Dance Gavin Dance merch through their website, might be worth a check to make sure everything looks ok!”

The user went on to share the Data Breach Notice that Warner Music Group (WMG) submitted with the State of California Department of Justice Attorney General.

On August 5, 2020, WMG discovered that an unauthorized third party compromised a number of e-commerce websites operated by WMG that are hosted and supported by an external service provider. The security incident allowed the third-party access to customer personal information entered into the affected websites during transactions between April 25, 2020 and August 5, 2020.

Was Your Card Compromised?

If you made a purchase from a music band website between April 25, 2020, and August 5, 2020, it’s worth looking into.

Let’s look at the example above. u/Way2Competitive purchased merchandise from the Dance Gavin Dance band website during the data breach time window.

Dance Gavin Dance is an American post-hardcore rock band from Sacramento, California. The band is currently with Rise Records, an independent record label that focuses on heavy metal and punk rock music artists.

Rise Records is not a WMG label, so how was u/Way2Competitive’s transaction compromised?

Rise Records has a distribution deal with Alternative Distribution Alliance, a distributor owned by WMG. WMG artist services business works with WMG artists, as well as artists not signed to their recording labels to support both commerce and marketing aspects of artists’ businesses.

Because the Dance Gavin Dance website and its shopping cart is managed through WMG, the band website transactions were exposed to the Magecart attack, which skims payment card details, including card numbers, VCV/CVVs, and expiration dates.

How Can You Check?

Unfortunately, WMG has not disclosed a list of affected e-commerce websites, which makes it nearly impossible for shoppers to tell if they are at risk for identity theft and fraud. In fact, consumers may not even realize that they made a purchase from a WMG website, because it can be difficult to determine whether a music-related website is associated with WMG.

If you made any recording artist-related purchase online from April to August, we suggest that you search your email folders for “notice of data breach” from WMG. These notices are commonly screened by spam filters and may not reach your inbox.

Notices may also be sent via USPS delivery. WMG appears to still be in the process of notifying consumers who were affected by the security incident.

WMG is directing questions about the security incident to 1-866-951-4190 or [email protected].

How Big Was the WMG Data Breach?

At this time, it is unknown how many consumers were affected by the WMG data breach. However, the music giant is associated with an estimated 65,000 songwriters, including Ed Sheeran, Lizzo, and Led Zepplin.

Three months of consumer transactions involving thousands of recording artist websites may have been compromised, which could potentially translate into credit card information stolen from millions of shoppers.

On social media forums, disgruntled consumers have mentioned fraudulent credit card activity believed to be associated with various band website purchases, including: