ICG America notifies customers of its companies of payment system compromise (update 2)

ICG America, which operates a family of retail and e-commerce companies that includes Amazing Clubs, Flying Noodle, MonsterBrew, Games2U, TexasIrons, and California Reds, has joined the ranks of those disclosing hacks involving customer data.

In August, ICG America was alerted by a credit card company that their payment processing system appeared to have been attacked. A security firm immediately retained to investigate found evidence of an attack that began on January 2, 2013 and continued until August 2, 2013.

According to a statement by Elena Loyola,  the data were encrypted but,

The attacker installed a program on our network that created the ability to decrypt and capture payment card information from our system.

Because of the nature of the program used by the attacker, the investigation could not determine whether the attacker actually viewed or removed any information from any system.

Customer information that might have been viewed or removed included name, address, e-mail address, credit or debit card account number, expiration date, and card verification value.

No explanation was provided as to how the attackers managed to insert a program on their system, and no mention was made as to whether law enforcement had been notified of the incident.

ICG America did not offer affected consumers any free credit protection services.

You can read a copy of their consumer notification, which is available on the California Attorney General’s site. As of this morning, there is no breach alert on their web site or on the sites of the companies they operate.

Update 1: This breach resulted in notification to 6,105 Maryland residents. The total number nationwide is still unknown.

Update 2: This breach resulted in notification to 1,451 New Hampshire residents, too.

About the author: Dissent

6 comments to “ICG America notifies customers of its companies of payment system compromise (update 2)”

You can leave a reply or Trackback this post.
  1. hamburgey - September 27, 2013

    Check my CC on a weekly basis and last week noticed 2 fraudulant charges so had the bank cancel and issue another one, then got a letter yesterday from ICG about this. I ordered a beer of the month gift for a friend. Guess this is how it happened. Not sure how or if they passed PCI compliance. Sounds like an inside job to me. Usually PCI compliance would require the port for the DB to be SSL so how did the hacker get into it without a certificate. Also must not have been using high ciphers for someone to be able to decrypt. Won’t order anything again from them

    • Dissent - September 29, 2013

      Given the rampant number of hacks on e-commerce sites, I tend to doubt this was an inside job, but that’s just my speculation, fwiw.

  2. linda - September 29, 2013

    I also was a victim. I’m furious that this happened in January and I first got the letter from them in September. I also will not be ordering anything from them again.

  3. Floyd - September 30, 2013

    Similar situation here. We ordered the “wine of the month”. Received the “breach” letter last week and an invoice for an order of soccer balls this week. Someone used the data to setup an account in our name. Does anyone know if any class action lawsuits against ICG America have been filed yet? They should be liable for negligence, failure of timely customer notification, failure to reveal the scope of the breach, breach of contract, etc.

    • Mark - October 17, 2013

      I would love to know as I too had the beer of the month product and the credit card used was comprised a week before they decided to send out acknowledgement of the breach. I would love to bleed these fuckers dry. I’m not sure how sitting on the information and doing nothing for that long cant be considered negligent.

  4. Pissed in SC - October 7, 2013

    I too am a victim. My card was used four times in the three days before I received their letter. They said the malicious code was on their computer from January thru September. Evidentially, when the hacker saw they were discovered and they ran out and started trying to get as much usage as possible. I was able to track one of the purchases back to an 84 year old woman in a nursing home in Tulsa, OK. She too must have been a victim. I don’t know where to check state laws about civil penaties. They said their California company filed the breach, but I thougth they were located in Texas. Alot of states restrict class action suits in these kind of cases to keep the settlements small.

Comments are closed.