Biltmore attackers steal user credit card details


Attackers on Biltmore‘s online store have injected malicious code into a third-party vendor and used the attack to steal sensitive user details, such as payment card numbers and CVV values.

Biltmore, a US-based estate owned by the Vanderbilt family, had its online wine store penetrated, the company revealed in a breach notification letter. According to Biltmore, it was notified about the attack in mid-February.

“Biltmore was notified that an unauthorized party inserted malicious code into the application that Biltmore uses to process orders from this online retail store. The application is hosted by a third-party vendor,” reads the notification.

ADVERTISEMENT

A subsequent investigation revealed that from December 5th, 2023, the attackers used the malicious code injection to steal credit card data used to purchase wine on the online store as well as other information that users submitted to the website.

According to the Biltmore, malicious actors accessed:

  • Names
  • Addresses
  • Email addresses
  • Payment card numbers
  • Card expiration dates
  • Card Verification Values (CVV) and similar security codes

Exposing payment card data, including expiration dates and CVV values, poses severe risks to users whose data was exposed. Malicious actors can use the information to make unauthorized payments and drain the victim's funds. Moreover, attackers may try to mask their illicit activities using stolen card details.

Biltmore stressed that the attack has only impacted the online store, while its other systems, including those related to ticket sales, hotel stays, and in-person purchases made on-site at Biltmore, were not impacted by the incident.

“We have taken comprehensive actions to mitigate the incident, including notifying the FBI, successfully locking the unauthorized malicious party out of the impacted application, undertaking a full forensic investigation, and temporarily closing our online retail store,” Biltmore explained.

The organization added that it has also completely replaced its transaction environment and removed the malicious code that attackers used to obtain user details.

The company said it will provide affected individuals with complimentary identity theft and credit monitoring services.

ADVERTISEMENT

The Biltmore company controls Biltmore Estate, a historic house museum in North Carolina, USA. The mansion was established in the late 1800s by George Washington Vanderbilt II. The Estate is still controlled by the Vanderbilts.