On October 3rd, Tully’s Coffee Japan announced that its directly operated mail-order website, Tully’s Online Store, had been illegally accessed, its payment app had been tampered with, and 92,685 user IDs and passwords may have been leaked. Of these, 52,958 users who had registered credit card numbers are at risk of having their card numbers and security codes leaked. The cause was a vulnerability in part of the site’s system, which led to unauthorized access by a third party and tampering with the payment app. The personal information that may have been leaked includes the names, addresses, telephone numbers, gender, date of birth, email address, login ID, login password, and shipping information of 92,685 people who registered as members at the Tully’s Online Store between July 20, 2021 and May 20, 2024. In addition, the credit card numbers, cardholder names, expiration dates, and security codes of 52,958 people who made credit card payments at the store between July 20, 2021 and May 20, 2024 may have been leaked. Affected users have been contacted via email. On May 20th, the Tokyo Metropolitan Police Department contacted the company to inform it that card information may have been leaked, and card payments were suspended the same day. The online store itself was temporarily closed on May 23rd. The site will be refurbished and reopened with enhanced security measures.
>>1 Whenever a data leak occurs, it’s usually the security code In other words, most companies store security codes Credit card users shouldn’t feel complacent.
>>3 If the site itself has vulnerabilities that allow entered information to be stolen, it will be leaked even if the security code is not stored in the system.
Since the payment app was tampered with, does that mean that the information entered by users was stolen? Doesn’t the fact that the police have contacted them mean that it has actually been misused and people are causing damage?
I don’t think the security code was set up to be saved. It wasn’t extracted from the database, it was probably just the app being tampered with. The security code was probably saved and made accessible.
Comments