NISA Online Store Data Breach

Oct 25, 2017
573
#1
Just received this email:
Notice of Data Breach
FEBRUARY 28th, 2018

Dear Motion Blue :

We are contacting you to notify you of a data breach which occurred between January 23rd, 2018 and February 26th, 2018 on online stores owned and operated by NIS America, Inc., including store.nisamerica.com and snkonlinestore.com. This data breach allowed an unauthorized party to access customer payment and address information for new credit card orders placed between these dates.

Our customers are our top priority, and it is our responsibility to provide a safe and secure environment for you to shop online with confidence. We would like to inform our customers of what happened as a result of this breach, the steps we have taken to resolve it, and what you can do to protect yourself.

Am I impacted by this?

Yes. Your personal information, including your payment information, may have been compromised.
Personal information, including payment information, was taken directly from new orders placed using a credit card between January 23rd, 2018 and February 26th, 2018. Orders placed using PayPal during this time period did not have their payment information or PayPal login information skimmed by this process. Orders placed before this time period were not impacted. Based on our information, we have determined that your information may have been affected by this.

What happened?

On the morning of February 26th, we became aware of a malicious process that had attached itself to our checkout page. This process was being used as far back as January 23rd, 2018 to skim personal information provided by our customers during checkout after they placed an order at our store.

After entering their billing, shipping, and payment information, the customer would be temporarily redirected to an offsite web page not owned or operated by NIS America, Inc. This malicious process would record the information provided by the customer during the checkout process, including credit card information, billing address, shipping address, and email address. Afterward, the malicious process would return the customer to the NIS America store page to complete their transaction.

Transactions conducted in this manner were still successfully completed on the NIS America store pages. However, the payment information recorded by the malicious process could be used for fraudulent charges in the future. Fraudulent payments could be attempted at any storefront that accepts credit card payments, not just NIS America, Inc. store pages.

What information was involved?

The skimming process had access to all information provided by the customer during checkout, including their name, address, credit card number, expiration date and CVV security code, and email address.

We do not collect Social Security numbers, and there is no evidence that any payment or billing information provided prior to January 23rd, 2018 was compromised.

What actions were taken as a result of this issue?

Once we became aware of this issue, we immediately took our store pages offline to prevent any further breaches. After taking our store pages offline, we scanned all our processes to determine the exact point of entry, as well as determine when this change occurred on our online stores. We have taken steps to solve the issue that resulted in this breach, along with several other steps to improve our site’s security.

What you can do to protect yourself:

-Check your bank or credit card statement for suspicious activity, or charges that you do not recognize. If you see any fraudulent or suspicious charges, please contact your bank or credit card’s fraud department. It is possible for any information gathered by this malicious process to be saved and used at a later date, so regularly checking your statements for unusual activity is the best way to ensure your card is not being misused.

-Contact your bank or credit card company to cancel cards you feel may be impacted by this issue, and request a new card. If you request a new card, please remember to update any automatic payments that may attempt to draw from the old card. If replacing a card, you will need to update preorders for future products provided by NIS America, Inc.’s online stores. For secure payment, we can send invoices via email directly from PayPal, which can be paid with or without a PayPal account. PayPal information was not breached during this event.

-Check your credit report for any anomalies. The Federal Trade Commission recommends http://www.annualcreditreport.com/ . Additionally, you can place a free, 90-day fraud alert with one of the three major credit bureaus and/or place a credit freeze on your file to restrict access to your credit report by other parties. For more information, please visit https://www.identitytheft.gov/Steps

-If you have a user account on one of NIS America, Inc.’s online stores, please know that we do not store payment information within these accounts. User accounts are used primarily to track past orders and gain reward points. Data for past orders is stored securely, and will only show the last four digits of a credit card, and will not show the CVV security code or expiration date. It is still recommended to change the password of any accounts you have with a store operated by NIS America, Inc.

-If you encounter any warning messages from your web browser that you may be proceeding to an unsafe page on our site or any other site, stop what you are doing and contact the site’s operators.

-Keep an eye out for fraudulent emails, texts, phone calls, or fake websites trying to get your personal information. Never give out private or personal information, including financial details, unless you can verify the identity of the person or organization contacting you. Don’t respond to texts or emails coming from a contact you don't recognize, and don’t click on any links they provide. Instead, if you need to check your account, type the site address you want to visit into your browser and securely log into your account.

-NIS America will never ask you for your personal information, payment information, or password via email, unless contacted to do so by our customers via our customer support channels. Updated payment information is only collected through PayPal, using either an invoice or direct payment.

We know that this issue and the steps needed to resolve it can be frustrating. We share these feelings, and we pledge to do our best to get this issue resolved, and prevent it from happening again. At this time, we can say that we have identified the issue, removed it from our website, and taken steps to prevent this issue from recurring, as well as added new security to our online stores. We would not be reopening our online stores if we did not feel confident that they are a safe place to shop.

We are committed to earning back your trust and confidence, and we hope to have the opportunity to serve you again soon. We will be sending out codes for a $5.00 discount on your next purchase from our online store to those impacted by this issue within the next few days. We understand that this is a small token, but we hope it will show our commitment and appreciation of our customers as we begin to regain your trust.

If you have any questions or concerns, please feel free to contact us and we would be happy to assist you in any way that we can. We can be reached anytime at [email protected].

We are determined to provide you with a safe and secure shopping experience going forward. We hope to see you on our online stores again soon.

Sincerely,

NISA Online Store team
[email protected]
Looks to be legit. Awful timing, since they had just announced preorders for Labrinyth of Refrain recently.
 
Oct 25, 2017
4,731
UK/FR
#3
Seems that the european online store hasn't been affected at least. Hope that nothing bad happens to american customers though.
 
Oct 26, 2017
3,128
#4
Was just about to post this... My credir card I use on there just got a fraud charge 2 weeks ago. I got my new card and was trying to contact them on updating my number, but they removed the phone number off their site! After they had extended maintenance the other day, it explains why.

I need to upgrade info (safely) for my pre-orders and I still have new ones to make :x (looks like they are sending out emails for a "pay when you want" basis via Paypal).

Really crappy breach though... Always thought of NISA as one of the safer sites.
 
OP
OP
MotionBlue
Oct 25, 2017
573
#6
Was just about to post this... My credir card I use on there just got a fraud charge 2 weeks ago. I got my new card and was trying to contact them on updating my number, but they removed the phone number off their site! After they had extended maintenance the other day, it explains why.

I need to upgrade info (safely) for my pre-orders and I still have new ones to make :x (looks like they are sending out emails for a "pay when you want" basis via Paypal).

Really crappy breach though... Always thought of NISA as one of the safer sites.
Its inevitable really, but odd to target such a niche website. I haven't had anything crop yet, but I'm always alert for odd charges.
 
Oct 25, 2017
4,622
#7
Man, I'm glad I didn't pre-order anything within this time-frame. Sorry to all of those affected. :(

I guess this is further reason to switch over to PayPal entirely, whenever it's available.
 
Oct 26, 2017
3,128
#8
Its inevitable really, but odd to target such a niche website. I haven't had anything crop yet, but I'm always alert for odd charges.
You might want to consider requesting a new card asap. Looks like I used another card on the site, and will be changing that too. Better safe than have to deal with fraud claims (but moving pre-orders over is the REAL pain).

So shady though... I NEVER think of double-checking for redirects when checking out :x


Man, I'm glad I didn't pre-order anything within this time-frame. Sorry to all of those affected. :(

I guess this is further reason to switch over to PayPal entirely, whenever it's available.
I would, but I hate that most storefronts have Paypal as "pay right away". I'd rather pay later on when it actually comes out, personally.
 
Oct 27, 2017
960
#9
That would explain i got my card clone the other day after i pre-order 2 collector's.... they tried to buy 3800 dollars in a Italien Cloth Store.... no way it would have pass. It would be nice for them to contact us to make change for changing number card and not us running for them to charge us in this case.
 
Oct 26, 2017
3,128
#10
That would explain i got my card clone the other day after i pre-order 2 collector's.... they tried to buy 3800 dollars in a Italien Cloth Store.... no way it would have pass. It would be nice for them to contact us to make change for changing number card and not us running for them to charge us in this case.
Mine was for clothes too! Some Karmaloop street wear store.
 
Oct 27, 2017
3,182
#11
Looks like I’m good since I haven’t been on that website since V3 came out. Sucks for those who are affected by this.
 
Oct 25, 2017
4,622
#12
I would, but I hate that most storefronts have Paypal as "pay right away". I'd rather pay later on when it actually comes out, personally.
That's why I tended to go with credit card when it's available, but the more stories such as this happen, it kind of continues to push me towards PayPal, even though I'd need to pay up-front. I hate having my credit card stolen and having to go through all of the replacement situation.
 
Oct 26, 2017
3,128
#13
That's why I tended to go with credit card when it's available, but the more stories such as this happen, it kind of continues to push me towards PayPal, even though I'd need to pay up-front. I hate having my credit card stolen and having to go through all of the replacement situation.
I get my cards replaced bi-annually >_> Bank doesn't notify me just "oh you might've been breeched! Here's a new card!!" It sucks...

I think I might just start doing Paypal more when available. It sucks, but this sucks more...
 
Oct 27, 2017
960
#15
Mine was for clothes too! Some Karmaloop street wear store.
When the bank call me i was like, i went to italy like 4 years ago, it could explain why it got clone there(but at same time i probably have change card since then), happy to know the source now i'll be a lot more careful next time.

I can't really blame them i'm working as a programmer in security for my bank, i know exactly how these thing work, it actualy pretty easy to replicate, this why i use credit card 100% of the time because assurance that they give for that kind of fraud.
 
Oct 27, 2017
390
#16
Oh man, I'm lucky. I placed my SNK Heroines order on January 11th and with PayPal.

Sorry for all those affected. It fucking sucks.
 
Oct 25, 2017
4,555
#18
I got the special edition of danganronpa v3 from them when it came out, so I panicked for a sec, but thankfully thats outside of the date range
 
Oct 26, 2017
3,128
#19
I can't really blame them i'm working as a programmer in security for my bank, i know exactly how these thing work, it actualy pretty easy to replicate, this why i use credit card 100% of the time because assurance that they give for that kind of fraud.
What I wish, is that more site would make it simple like Amazon (or even the Square Enix Store of all places) to ne able to login and change your info.... Calling every place during business hours is annoying -_-
 
Oct 25, 2017
4,622
#20
I get my cards replaced bi-annually >_> Bank doesn't notify me just "oh you might've been breeched! Here's a new card!!" It sucks...

I think I might just start doing Paypal more when available. It sucks, but this sucks more...
Given the state of online security, getting your cards replaced bi-annually isn't a bad idea. Mine lasts a few years and I'm generally pretty careful about where I spend it, but I'd be lying if I said it wasn't a constant worry. With PayPal I don't really need to concern myself, and some stores allow later payment and not up-front (it's definitely a rarity though, unfortunately). I agree that early payment definitely sucks less than a credit card breach, that's for sure.

Sorry about that situation you find yourself in, I hope you're able to switch over your pre-orders (if any) to your new card when it comes.
 
Oct 25, 2017
2,338
#21
Fuck my life. Pre-ordered Coven limited edition without using Pay-Pal.

I'm probably going to never touch nisa online store again.
 
Oct 25, 2017
1,763
#22
Fuck my life. Pre-ordered Coven limited edition without using Pay-Pal.

I'm probably going to never touch nisa online store again.
i got hit too, but getting a new card tomorrow and the fraudulent charges removed from it, and the other card canceled as a precaution (it wasn't hit). this is the only time in the ten years they've been running that this has happened as far as i'm aware.

also the second time in 5 years i've had to get a new card due to fraud. pretty sure the last two times were both because of amazon.
 
Oct 26, 2017
3,128
#23
i got hit too, but getting a new card tomorrow and the fraudulent charges removed from it, and the other card canceled as a precaution (it wasn't hit). this is the only time in the ten years they've been running that this has happened as far as i'm aware.

also the second time in 5 years i've had to get a new card due to fraud. pretty sure the last two times were both because of amazon.
Yeah I've been buying since the Rosenqueen days, and this was a first. My other fraud had previously been from Video Games Plus... I wonder if they ever fixed their site?
 
Oct 25, 2017
4,622
#24
Yeah I've been buying since the Rosenqueen days, and this was a first. My other fraud had previously been from Video Games Plus... I wonder if they ever fixed their site?
Rosenqueen, that brings me back.

And nope, it's still recommended to use PayPal on VGP. As for whether it's safe or not...I'm not willing to take that risk, haha.
 
Oct 28, 2017
148
#27
This lines up with what happened with a card I had JUST got a couple of weeks ago. I thought I was going crazy since I only used it IRL one time and online one time. Never imagined the perp would be from this.

Well, whoever it is got their car fixed and purchased about $800 worth of groceries all on the same day... What a guy
 
Oct 27, 2017
1,847
#29
I guess that’s why I found an unauthorized transaction on one of my cards just this morning. Already cancelled that one and will probably cancel a second one as a precaution.
 
Oct 26, 2017
3,128
#30
If you made any purchases from NISA's American website between Jan. 23rd - Feb. 26th, no, you're not safe.

And this is why I use stuff like NoScript. Yeah it breaks the internet, but... safety first! :)
I use NoScript too and this still went through :/
 
Oct 29, 2017
4,650
Mt. Whatever
#31
I use NoScript too and this still went through :/
If the script was attached to NISA's server and you opted to set them to "Trusted" then yeah of course it still went through.

I'm honestly surprised it took this long for NISA's store to get hit, for a long time they didn't even have https. Last thing I ordered from them though must have been the Neptunia Victory LE from back in 2013 lol.
 
Oct 26, 2017
3,128
#32
If the script was attached to NISA's server and you opted to set them to "Trusted" then yeah of course it still went through.
Problem being is that if you fon't allow in the main site and some scripts relating to the store, then nothing will work at all to make a purchase. I figured it was tied to the original site, in this case. I keep an eye out for any unknown names that pop up, but yeah it's not always easy...
 
Nov 8, 2017
1,894
#33
Luckily I haven't made a NISA purchase since Ys 8. Still that sucks.

That $5 discount though. Totally makes up for possible identity theft and credit card fraud.
 
Oct 25, 2017
569
#34
I put an order in on Feb 15 for Fallen Legion LE using PayPal so I'm good I think. Haven't received an email from NISA and I don't see any suspicious charges. However, I think they may have gotten my email address because I've received few emails in past couple weeks that basically go like "Here is a receipt for a transaction made through apple app store etc. Please click on this link to review or cancel order". I'm guessing that this will take me to a fake storefront and I'll be prompted to log-in with my info.
 
Oct 27, 2017
487
#35
I work for a small local credit union, it's insane how much card fraud we have seen in the last two years. Stuff like this is all too common these days, unfortunately. Luckily our automated system is fairly good at catching unfamiliar charges, but in a situation like this we obviously recommend changing your card number ASAP and being vigilant for any potential fraudulent charges, since it's not always large amounts they try to get away with and something like a $4.99-9.99 charge is far easier to slip by you than a huge amount. Also, kinda random, but if you happen to use Uber, double check any charges to verify they're yours... a large trend lately has been using stolen card numbers to pay for transportation services.
 
Oct 25, 2017
166
#36
Wow, this one is pretty horrifying. I mean I understand compromised databases and stuff like that, but to have a rogue script and redirect on your page for a month? Ouch.
 
Oct 26, 2017
3,128
#37
Luckily I haven't made a NISA purchase since Ys 8. Still that sucks.

That $5 discount though. Totally makes up for possible identity theft and credit card fraud.
I work for a small local credit union, it's insane how much card fraud we have seen in the last two years. Stuff like this is all too common these days, unfortunately.
$5 is still a nice gesture, considering the mess. As seen above, it's not uncommon at ALL anymore for something to happen, anywhere. If someone tries, they can get in almost anywhere, I'm sure. So, this was NISA's turn to get hit :/ There's definitely horrible website security (Video Games Plus), but it doesn't matter, it can happen anywhere. NISA wasn't even aware of it until a couple days ago, so it looks like the breechers were sneaky with it. Still good that they shut down the store and took care of it ASAP, AND gave a detailed, transparent notice on what went on. Major breeches (Equifax) are usually pretty horrible on these sort of things.
 
Oct 25, 2017
762
Downunder.
#38
To avoid my CC number from being harvested in situations like this, I actively try to limit the number of online stores which has my CC number. Apart from Amazon, I pretty much have to enter my card # again each time I make a purchase. Visa has a 2FA feature for purchases larger than a certain amount but I don't think every single store has the means to implement it.
 
Oct 31, 2017
21
Oregon
#39
If you made any purchases from NISA's American website between Jan. 23rd - Feb. 26th, no, you're not safe.

And this is why I use stuff like NoScript. Yeah it breaks the internet, but... safety first! :)
I use Noscript when shopping but sometimes it blocks payment systems that sites are using to manage their ecommerce. In my case, I remember unblocking a few things to get my NISA store purchase to go through on the 23rd. I get alerts from my card company if a purchase is made, and nothing unusual has popped up yet. It's been less than a week though, meh. What a pain...
 
Oct 27, 2017
528
#41
Wow this sucks. I don't make purchases off their store, but this sort of thing would make me think twice before doing so.
 
Oct 26, 2017
1,778
#42
I haven't been able to order from the NISA store in years as a European customer, but this is a bummer to hear. A month without noticing is pretty rough.
 
Oct 25, 2017
2,062
Philadelphia, PA
#44
Would have been nice for NIS to actually sent out an email alert to everyone to change their account passwords.

Even if you haven't bought anything on NISA Webstore, I'd change your password anyways if you have an account there folks.
 
Oct 26, 2017
3,128
#45
So...things are ok going forward right? Safe to place orders again or do you guys think we should still wait?
I would assume so, after the site being down for a day fixing the problem. I still have orders to make >_>


Would have been nice for NIS to actually sent out an email alert to everyone to change their account passwords.

Even if you haven't bought anything on NISA Webstore, I'd change your password anyways if you have an account there folks.
They did in the email:

It is still recommended to change the password of any accounts you have with a store operated by NIS America, Inc.
It's always a common sense thing too, to change passwords in any kind of breech.
 
Oct 25, 2017
2,062
Philadelphia, PA
#46
Not everyone got an email from NISA about this issue, I certainly didn't. The point I'm making is when it comes issue to a security vulnerability, you don't just warn your most recent customers with account, they need to warn EVERYONE who has an account on their store.
 
Oct 30, 2017
1,635
#47
Oh boy... I pre-ordered a couple of games, just after changing my CC two months ago... Now I have to do it again. :(
 
Oct 31, 2017
21
Oregon
#48
NISA sent out another email about this today. Apparently the malicious process reinstalled on the 28th, so anyone who used their credit card and purchased between Jan 23 and Feb 25, and then again on Feb 28, had their account information compromised.

What happened to orders placed on February 28th, 2018?

We discovered the issue on February 26th 2018, and took our stores offline until the problem was able to be fixed later that same day. After the issue was removed, the stores were returned back online.

On the afternoon of February 28th, 2018, we discovered that the malicious process was again active. We took our stores offline until the problem was able to be fixed later that same day.

Our information shows that we have been receiving persistent attention from the same group or individual who had implemented the malicious process in January 2018. The malicious process implemented on February 28th, 2018 was identical to the process implemented in January 2018. Although the online stores were free of this issue for the latter part of February 26th and all of February 27th, the malicious process was reintroduced by using an alternate method early in the morning of February 28th. This issue was identified and removed by late afternoon on February 28th. We are continually monitoring our online stores at this time to ensure that no malicious changes are able to be made.

Customers that may have had their information compromised between these dates were sent an email informing them dated March 1st, 2018. If you did not receive an email on this date, it is because our records did not show that you were impacted.
IMPORTANT!

The malicious process used to collect personal information may still remain in your computer’s local files if you attempted to check out of one of our online stores between January 23rd, 2018 and February 26th, 2018, or on February 28th. Even though this process has been removed from our site, it may still be present in your local files. For your safety, we strongly recommend clearing your browser’s cookies, cached files, and other site data to ensure the deletion of these files. Even if you did not visit our site on these dates, we still recommend that you clear your data to ensure you are receiving up-to-date files from our web pages.
 
Oct 26, 2017
3,128
#49
NISA sent out another email about this today. Apparently the malicious process reinstalled on the 28th, so anyone who used their credit card and purchased between Jan 23 and Feb 25, and then again on Feb 28, had their account information compromised.
Geeze that software is really malicious :/ Can't believe they got in again.
 
Oct 25, 2017
272
#50
Think I'm done ordering directly from NISA after all this. $5 is not enough to get me to order from their store again (pre-ordered Coven as soon as it was announced).