Bulletproof 360, Inc. suffered a data breach where malicious actors injected unauthorized code into its e-commerce checkout page. This compromise exposed sensitive customer information, including names, addresses, email addresses, payment card numbers, expiration dates, and card security codes over multiple periods. The breach was detected on October 13, 2016, but the official report was filed over a year later, on November 27, 2017. The incident highlights a severe failure in payment processing security, allowing attackers to harvest financial data directly from transactions. Given the nature of the stolen information full payment card details customers faced heightened risks of fraud, identity theft, and unauthorized transactions. The prolonged exposure period before detection further exacerbated the potential damage, as the compromised data could have been exploited for extended fraudulent activity. The breach underscores vulnerabilities in the company’s web infrastructure, particularly in safeguarding payment gateways against code injection attacks. While the report does not specify ransomware involvement, the scale and sensitivity of the leaked data suggest a high-impact cyber attack with lasting repercussions for both the company’s reputation and customer trust.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-113868
TPRM report: https://www.rankiteo.com/company/bulletproof360
"id": "bul037091825",
"linkid": "bulletproof360",
"type": "Cyber Attack",
"date": "10/2016",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Approximately (exact number '
'unspecified)',
'industry': 'E-commerce / Retail (Likely)',
'location': 'California, USA',
'name': 'Bulletproof 360, Inc.',
'type': 'Private Company'}],
'attack_vector': 'Unauthorized Code Injection (Checkout Page Compromise)',
'data_breach': {'data_exfiltration': 'Likely (via unauthorized code)',
'personally_identifiable_information': ['Names',
'Addresses',
'Email Addresses',
'Payment Card Numbers',
'Expiration Dates',
'Card Security Codes'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Payment Card Information '
'(PCI)']},
'date_detected': '2016-10-13',
'date_publicly_disclosed': '2017-11-27',
'description': 'The California Office of the Attorney General reported that '
'Bulletproof 360, Inc. experienced a data breach where '
'unauthorized code was added to its checkout page, potentially '
'exposing customers’ names, addresses, email addresses, '
'payment card numbers, expiration dates, and card security '
'codes. The breach was identified on October 13, 2016, and '
'occurred over several periods, with the report being made on '
'November 27, 2017.',
'impact': {'data_compromised': ['Names',
'Addresses',
'Email Addresses',
'Payment Card Numbers',
'Expiration Dates',
'Card Security Codes (CVV/CVC)'],
'identity_theft_risk': 'High (Payment card details exposed)',
'payment_information_risk': 'High (Full card details including '
'CVV/CVC)',
'systems_affected': ['Checkout Page']},
'initial_access_broker': {'entry_point': 'Checkout Page (Code Injection)',
'high_value_targets': 'Payment Card Data'},
'investigation_status': 'Reported (2017-11-27)',
'references': [{'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential violation of '
'California Data Breach '
'Notification Law (Civil '
'Code § 1798.82)',
'Potential PCI DSS '
'non-compliance (if '
'applicable)'],
'regulatory_notifications': 'California Office of '
'the Attorney General'},
'response': {'communication_strategy': 'Reported to California Office of the '
'Attorney General'},
'title': 'Bulletproof 360, Inc. Data Breach via Checkout Page Compromise',
'type': 'Data Breach (Payment Card Skimming)'}