Full Report
The Green Bay Packers Pro Shop website was exposed to malicious code that stole data about more than 8,500 shoppers, the NFL team says.
Analysis Summary
# Incident Report: Green Bay Packers Pro Shop E-Skimming Attack
## Executive Summary
Hackers successfully implanted malicious code onto the Green Bay Packers Pro Shop website, leading to the skimming of payment card data from customers checking out between September and October 2024. The intrusion was detected on October 23, 2024, prompting the immediate shutdown of payment functions and subsequent remediation. The incident impacted over 8,500 customers, resulting in the potential theft of credit card numbers, names, and addresses.
## Incident Details
- Discovery Date: October 23, 2024
- Incident Date: September 23, 2024 – October 23, 2024 (Period of compromise)
- Affected Organization: Green Bay Packers (Pro Shop website)
- Sector: Sports/E-commerce
- Geography: USA (Notification states impact across multiple states including ME, TX, VT, MA)
## Timeline of Events
### Initial Access
- Date/Time: Sometime before September 23, 2024
- Vector: Hidden code insertion (E-skimming malware) onto the Pro Shop website.
- Details: Malicious code was inserted into the payment/checkout functionality of the e-commerce site, allowing data capture during transactions.
### Lateral Movement
- *Not explicitly detailed, as the attack focused on a single point of entry/data capture (the checkout page).*
### Data Exfiltration/Impact
- Period: September 23–24, 2024, and October 3–23, 2024.
- Details: Unauthorized third parties viewed or acquired customer information entered at checkout using a limited set of payment options. Data included names, billing/shipping addresses, credit card numbers, expiration dates, verification numbers (CVV/CVC), and card types. Gift cards, PayPal, and Amazon Pay transactions were not affected.
### Detection & Response
- **Detection:** The team was notified of an intrusion on October 23, 2024 (The notification came from external firm Sansec, though the article notes the Packers stated they were notified on this date).
- **Actions:**
1. Immediate shutdown of payment and checkout functions on the Pro Shop website.
2. Investigation launched, retaining an outside cybersecurity firm.
3. Malicious code was removed from the checkout page following forensic investigation results (discovered December 20, 2024).
4. Affected users required to reset passwords.
5. Notification of affected customers and regulators across multiple states.
## Attack Methodology
- **Initial Access:** Compromise of the Pro Shop website/hosting environment to inject malicious JavaScript (e-skimmer).
- **Persistence:** Maintained via the injected malicious code remaining on the checkout page until remediation.
- **Privilege Escalation:** *Not specified, likely exploited vulnerabilities in the underlying web platform or hosting environment.*
- **Defense Evasion:** Attack relies on the code executing client-side during the payment process, often mimicking legitimate scripts.
- **Credential Access:** Theft of payment card numbers and associated personal/billing information entered during the checkout process.
- **Discovery:** *Not specified.*
- **Lateral Movement:** *Not specified; focused on data collection at the transaction point.*
- **Collection:** Siphoning data entered into input fields within the payment forms.
- **Exfiltration:** *Method of exfiltration is not detailed, typical for e-skimming involves sending data to an external command and control (C2) server.*
- **Impact:** Financial fraud risk and PII/PCI data exposure for thousands of customers.
## Impact Assessment
- **Financial:** Costs related to remediation, investigation, customer notification, and providing credit monitoring services. (Specific organizational cost N/A).
- **Data Breach:** 8,514 individuals impacted. Compromised data includes names, physical addresses, and full Payment Card Information (PCI data).
- **Operational:** Temporary shutdown of payment/checkout functions on the Pro Shop website.
- **Reputational:** Negative public perception due to a major data breach disclosure in early 2025 concerning a fall 2024 incident.
## Indicators of Compromise
- **Network indicators:** *None explicitly provided in defanged or raw format.*
- **File indicators:** Malicious code inserted onto the Pro Shop website checkout pages (Client-side JavaScript).
- **Behavioral indicators:** Unauthorized capturing and redirection of input data from payment form fields.
## Response Actions
- **Containment:** Shut down payment and checkout functionality immediately upon notification on October 23.
- **Eradication:** Identified and removed the malicious code from the Pro Shop website via internal IT team and external cybersecurity experts. Collaborated with the website hosting vendor.
- **Recovery:** Forced password resets for all site account holders. Resumed normal operations after remediation confirmed. Providing affected victims with three years of credit monitoring and identity theft protection via Experian.
## Lessons Learned
- Third-party dependencies (e.g., e-commerce platform vendors) represent significant risk vectors for client-side supply chain attacks like e-skimming.
- The necessity for continuous, specialized monitoring (like that provided by firms tracking e-skimming) is vital for modern payment security beyond traditional network perimeter defenses.
## Recommendations
- Implement Subresource Integrity (SRI) checks for all third-party scripts loaded on checkout pages to prevent unauthorized code injection.
- Increase security monitoring specifically focused on changes to JavaScript files deployed on payment processing pages.
- Broaden PCI compliance auditing routines to include active monitoring for Magecart/e-skimming attack patterns.