From: Living in the fair city of Melbourne, Australia
Steve Grammont has posted an update on this matter, detailing the actions pursued in response to the concerns raised and his position on the matter:
If anybody is inclined to post REAL information to threads like the one on Matrix, here's the summary of where we're at:
1. A tiny fraction of customers who placed orders in the past 2 months have chimed in here to say their credit cards had fraudulent charges placed in the beginning of January. This includes my own card which, one would be correct to assume, was never used to purchase anything from Battlefront.com. Which means some sort of group compromise happened AND that it includes people that have not placed an order with Battlefront.com.
2. Battlefront never has, and never will, collect customer credit card information. Instead, credit card information goes direct from a customer's browser to our payment processor (PayPal/PayFlow). All Battlefront gets is a report from the processor which gives the transaction a thumbs up or thumbs down along with some transaction codes. Since someone can't steal what we don't have, there's absolutely no chance in a billion years that credit card information was taken from our server.
3. While it is theoretically possible to hack our website and change the order processing script to have the customer's browser hijack credit card info, this has already been checked by our webstore host and there have been no changes to our scripts. They checked twice, in fact, because I asked them to.
4. If anybody thinks they are immune from massive data breaches like these, think again. It must be remembered that nearly a billion online accounts were documented to have been breached in 2018. Most of us have had a credit or bank card compromised more than once (I had an ATM card physically skimmed, including PIN). Even those who think they haven't had a card compromised have probably received a replacement credit card out of the blue. That means the card company thinks your card has likely been compromised and is proactively replacing it.
5. Some think that the tiny fraction of customers who had a credit card compromised AND placed an order for CMSF2 couldn't be a coincidence. Which is wrong on so many levels. First, most of the people reporting in say they bought a CMSF2 product, which isn't surprising since that's the biggest selling group of products in the time period covered. Obvious coincidence. Second, my credit card was also hit with fraud charges at the very same time in a very similar way as the others noted here, but I've never used it to purchase items from Battlefront.com. Obvious coincidence. Third, timing of a specific purchase and a fraud charge inherently means nothing because a card used years ago, and stored somewhere, is just as vulnerable as a card used 5 seconds ago. Trying to tie a specific transaction to a specific breach is, therefore, not straight forward and is prone to being coincidental. Fact is, Humans are thoroughly documented to be very poor evaluators of cause/effect and extremely prone to incorrectly finding meaning in something that has none. Be it religion, "lucky" lottery numbers, bad things happen after a black cat crosses ones' path, two people in a room of 30 having the same birthday is noteworthy, etc.
With that said, because the world is a very complex and nasty place when it comes to cyber security, I can not 100% rule out someone somehow got a hold of a tiny slice of customer payment data one time for a limited time. Nor can I rule out winning the lottery if I pick up a discarded ticket on the sidewalk. Which is why I will always check into the possibility of a customer breach just as I will always pick up a discarded lottery ticket.
Wite2 - Lead Tester