Fans of the Green Bay Packers experienced a breach of personal and sensitive information following a cyberattack on the team’s merchandise website, the Pro Shop. A “malicious code” was injected into the platform, which is operated by a third-party vendor. Green Bay Packers, Inc., the non-profit organization behind the NFL team, disclosed the breach in a notification letter. According to the letter, the organization became aware of the attack in late October 2024 and determined that the malicious code was active during two periods: September 23–24, 2024, and October 3–23, 2024. During this time, attackers may have stolen sensitive customer data. The Packers public statement states that “only a limited number of individuals who conducted credit card transactions on the website” were affected, but a report to the Maine Attorney General’s office revealed that over 8,500 individuals were impacted.
The notification explained that the malicious code enabled attackers to view and steal data entered on the Pro Shop’s checkout page, including credit card information, names, and addresses. Transactions made with gift cards, Pro Shop website accounts, PayPal, or Amazon Pay were reportedly unaffected. A Packers spokesperson stated, “The incident was limited to the single e-commerce website and did not affect any other Packers information technology or data. We are working closely with our vendors and third-party experts to ensure our sites are as secure as possible for our fans.
Although the initial point of compromise remains unclear, Steve Povolny, Senior Director of Security Research at Exabeam, described the attack as preventable with proper monitoring. He emphasized that such breaches could be mitigated even after attackers establish a foothold. The breach poses significant risks to affected individuals, as stolen credit card details can be used for unauthorized purchases or sold on the dark web. Additionally, the exposed personal information could facilitate identity theft, allowing attackers to open credit accounts, apply for loans, or launch phishing campaigns. Given that the victims are likely Packers fans, attackers could also impersonate the organization to execute scams and spear-phishing attacks.
To mitigate the damage, the Packers organization is offering 36 months of free credit monitoring and identity theft restoration services to affected individuals. Victims are also encouraged to remain vigilant by reviewing account statements, monitoring free credit reports, and promptly addressing any signs of fraudulent activity.