What EB Games Canada’s PS5 privacy breach could mean for customers

A security researcher offers some commentary on the issue

EB Games

In the U.S., video game retailer GameStop has been a trending topic on the internet for its shares rising significantly due to Reddit.

However, GameStop’s Canadian division, EB Games, has been the subject of a completely different controversy.

On Tuesday, January 26th, the retailer restocked the PlayStation 5 in Canada — a routine activity since November, given how the system repeatedly sells out within minutes. However, upon checkout, multiple customers began to notice something peculiar — EB Games Canada’s website was displaying the personal information of other customers. This information included names, phone numbers and addresses, although credit card details appear to have been safe.

Following these reports, MobileSyrup reached out to EB Games Canada multiple times, but no response has been received. The retailer has also not yet publicly commented on the matter on its social media channels either, despite several Twitter users tweeting at them about it. As a result, it’s unclear exactly how many people might have been affected and what steps the retailer is taking to address the security issue.

In an effort to gain a better understanding of what might be the cause of this privacy breach, we spoke with Alexis Dorais-Joncas, a Montreal-based security intelligence team lead at internet security company ESET.

“From an external point of view, it looks like some programming or system integration errors were present and allowed customers to see personal information of others,” said Dorais-Joncas. “If it’s not already done, EB Games should take the problematic system offline to limit the extent of the information leak, determine which customers were affected and notify them as soon as possible.”

Although he noted that it’s “good news” that the leak doesn’t include payment information, and that there “doesn’t seem to be enough information for an attacker to perform identity theft,” he stressed that this “does not mean the leak is harmless.”

According to Dorais-Joncas, “the main threat, in my opinion, is that opportunistic attackers could use the leaked information to craft extremely believable phishing emails and get their targets to click on malicious links or open a malicious attachment.”

Dorais-Joncas also provided the following example regarding how the leaked information could be used maliciously:

“Imagine [a] scenario where you are a disappointed customer who could not purchase the PS5 before it went out of stock. Then the next day, you get a phishing email with the EB Games look and feel saying “Hi Bradly, we are sorry we ran out of [the PS5] yesterday. But good news! Those items are back in stock, and to make up for yesterday’s disappointment, we reserved those items just for you! But hurry up: you only have 24 hours to complete your purchase by visiting our new exclusive e-store website at [insert malicious link]. After that, we will have to put the items back in our regular inventory.”

Dorais-Joncas says he suspects “many would click on that link and submit their credit card information in a heartbeat,” especially given how much demand there is for the PlayStation 5.

MobileSyrup will have more information on the EB Games Canada data breach as it becomes available.