Guitar Tuition Website Suffers Six-Month Data Breach

A Florida company that offers guitar lessons online to millions of students around the world has suffered a data breach.

Unauthorized access of TrueFire's computer system went on for six months before the breach was detected on January 10, 2020. 

In a data breach notification letter dated March 9, 2020, and signed by TrueFire Chief Customer Officer Ren Wright, users who made purchases via the website between August 3, 2019, and January 14, 2020, were warned that their data may have been compromised.

Wright said that data exposed during the lengthy breach may have included names, addresses, payment card account numbers, card expiration data, and security codes.

Though the company does not store customers' payment card information itself, it warned that threat actors with access to its computer system may have been able to steal this information in real time as users bought classes and courses.

Wright wrote: "On January 10, 2020, TrueFire discovered that an unauthorized person gained access to our computer system and, more specifically, to information that consumers had entered through our website.

"While we do not store credit card information on our website, it appears that the unauthorized person gained access to the website and could have accessed the data of consumers who made payment card purchases, while that data was being entered, between August 3, 2019 and January 14, 2020."

TrueFire did not reveal how the breach was discovered but said that it has been reported to law enforcement. The company also said that it is "working with computer forensic specialists to determine the full nature and scope of the intrusion."

The company has advised its users to review their credit and debit card statements and check for any discrepancies or unusual activity. 

"You should also remain vigilant and continue to monitor your statement for unusual activity going forward," wrote Wright. No offer was made to provide users with free credit monitoring services. 

In their breach notification letter, TrueFire gave no reason as to why they waited until March 9 to inform users of the breach that was discovered on January 10. No mention of the data breach could be found on the TrueFire website at time of publication.

What’s Hot on Infosecurity Magazine?