Illinois-based publisher Sourcebooks has notified roughly 9,000 customers that a security vulnerability in its shopping cart software may have enabled criminals to obtain their personal information, including payment card data.

How many victims? 5,204 have been affected, but roughly 9,000 notification letters were sent out as a precautionary measure.

What type of personal information? Names, addresses, phone numbers, email addresses, account passwords and payment card information, including cardholder names, card numbers, expiration dates, and card verification values.

What happened? A security vulnerability in the shopping cart software used by Sourcebooks enabled criminals to obtain the personal information.

What was the response? The shopping cart software was updated and the security vulnerability has been addressed. Steps taken to prevent a similar incident from occurring again include implementing new security measures in accordance with the Payment Card Industry data security standards, and revising internal processes in order to more quickly be able to identify any potential issues. All impacted and potentially impacted individuals are being notified, and asked to change their passwords.

Details: The breach of the shopping cart software occurred from April 16 to June 19. Visa notified Sourcebooks on June 18 that the publisher was a common point of fraudulent charges being reported.   

Source:, “Sample Letter, Put Me In The Story,” Oct. 17, 2014;, “Sample Letter, Sourcebooks;”, “Data breach FAQ,” Oct. 7, 2014; a Monday correspondence with a Sourcebooks spokesperson.