The Cybersecurity Force Isn’t Strong With Trading Card Company



Growing up, kids my age didn’t need to provide personal information to buy few packs of Topps Inc. baseball cards after practicing their swing at the Home Run Park batting cages. Kids would hand a friendly card dealer a few bucks, go home and open the pack (usually discarding the gum; sometimes chewing it for a minute before it disintegrated) and then organizing them in their binder for the season.

But that’s not how it works anymore. E-commerce sales of cards are a thing. Topps recently notified its customers experienced a data breach that could have exposed the names, e-mail addresses, phone numbers, credit or debit card numbers, expiration dates and verification numbers of customer who placed orders on Topps’ website between July 30 and Oct, 12, 2016, according to a copy of the notification letter posted on the Sports Collectors Daily website.

And it’s not only baseball cards that Topps sells. In addition to other major sports, it sells trading cards for the Walt Disney Co.’s Star Wars and Frozen and Nintendo Inc.’s Pokemon.

Chris Vickery of Mackeeper also announced that he had previously contacted Topps about a possible breach of three of Topps application in December 2015 and June 2016, although it’s unclear that these were the same breaches that Topps announced.

In response to the breach, Topps took standard steps to hire an outside security firm and offer customers who purchased within the window one year of identity theft protection. 

Though the number of accounts likely doesn’t reach the more than one billion Yahoo! Inc.  accounts that were breached, any number of accounts would be more personal information than people thought Topps had when unwrapping rookie Frank Thomas and Ken Griffey Jr. cards in private.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.