The Oregon Zoo is notifying roughly 118,000 individuals that their names and payment card information was stolen from its online ticketing service.
The incident was identified on June 26 and resulted in names, payment card numbers, CVVs, and expiration dates being exfiltrated. Transactions processed between December 20, 2023, and June 26, 2024, were likely affected.
“As a precaution, Oregon Zoo reviewed all transactions from this period to identify anyone whose payment card information may have been affected,” the zoo said in a regulatory filing with the Maine Attorney General’s Office.
According to the zoo, threat actors redirected transactions from the third-party vendor that processed online ticketing purchases for Oregon Zoo. The affected website was immediately decommissioned and a new, secure site for online ticket purchases was built.
The zoo notified the Maine AGO that 117,815 individuals might have been affected and also revealed that written notification letters were sent to them on August 16.
“Oregon Zoo notified federal law enforcement regarding the event. Oregon Zoo is also reviewing its policies and procedures to reduce the likelihood of similar events in the future,” the zoo said.
The zoo is offering one year of free credit monitoring and identity protection services to the potentially affected individuals.
One of the oldest zoos in the US, Oregon Zoo was founded in 1888. It’s owned by the regional Metro government and spreads over 64 acres.
While the zoo did not share specific details on the type of cyberattack that led to the data breach, the incident was likely the result of a web skimmer infection on Oregon Zoo’s online ticketing service.
Also referred to as digital skimmers, JavaScript-sniffers, or JS-sniffers, web skimmers are malware families that threat actors inject into legitimate websites, typically on the checkout page, to steal the visitors’ personal and payment card information.
Skimmer infections typically go unnoticed for long periods of time, as was the case with Oregon Zoo, and the stolen information is used to perform various types of fraud. To date, cybersecurity researchers have identified over 130 digital skimmer families.
Related: Police Warn Hundreds of Online Merchants of Skimmer Infections
Related: Magecart Web Skimmer Hides in 404 Error Pages
Related: Website of Canadian Liquor Distributor LCBO Infected With Web Skimmer
