The nefarious, encrypted strings were discovered on March 16, 2015, but following an investigation into the incident the administrators determined that the initial date of the breach may go as far back as February 11.
Payment card information may be at risk
Once the unauthorized code was discovered, the admins proceeded to removing it and strengthening the security measures on the website for increased protection of the data stored.
The security improvement efforts were assisted by a specialized company. As part of this process, My Freedom Smokes changed the method for taking online orders, although it had already relied on encrypted communication with the clients and the card processor gateway machine was encrypted during the breach period.
According to a notification from the company, the financial information that may have been grabbed by the attacker includes names, physical addresses, email addresses, telephone numbers, credit card numbers, expiration dates and the card verification value (CVV) code.
Basically, all the data needed for placing an order on the website (or on any other online store) during the aforementioned period may have been exposed.
Customers incurred fraudulent charges
The company informs that the payment card numbers it stores are only partial and that CVVs are not saved on its infrastructure.
Some of the My Freedom Smokes customers have reported fraudulent charges on their payment cards during the breach period. However, it is unclear if the illegal activity was due to the compromise of this retailer or a different one.
Unlike in the case of other data breach incidents, My Freedom Smokes does not offer complimentary subscription to an identity protection service; this step is not mandatory, though.
On the other hand, it provides tips on keeping safe from malicious activity and recommends reviewing the bank account statements for irregular transactions.