I guess this explains why Cardpool recommended redeeming your gift cards when they announced their closure a couple of months ago.
It turns out that back in 2019, Cardpool suffered a massive data breach which resulted in $38 million of gift cards being exposed, along with 330,000 credit and debit cards. All those details were sold by the hacker a couple of months ago.
Gemini Advisory has the full details of the breach, so it’s worth checking out their post if you’re interested in what happened. As a quick overview:
- When it happened – The breach took place at some point between February 4 and August 4, 2019.
- When the cards were sold – For some reason the hacker didn’t sell the information until February 2021.
- How much the gift cards sold for – The gift cards had an approximate value of $38 million and they appear to have been sold for only $10,000-$20,000.
- How much the payment cards sold for – The 330,000 payment cards were sold for $5,000-$15,000.
With regards to the payment cards, the hacker thankfully didn’t obtain the CVV codes which will make it much harder for them to be used.
The dates involved in this hack are interesting as they line up with some key dates in the downfall of Cardpool. Gemini Advisory has identified the breach as taking place between February and August 2019. Cardpool was sold by Blackhawk Network to a former employee in early 2019, although it’s not clear if that happened just before or just after the breach. There’s therefore no evidence that Blackhawk Network knew about the breach before offloading the company, but perhaps the sale of the company made Cardpool more vulnerable as data security procedures might have changed in the process.
Also interesting is the date of the eventual sale of the gift cards and payment cards by the hacker. That took place in February 2021 which is also when Cardpool announced that they were closing and advised that you should redeem your gift cards as soon as possible. That makes me wonder if Cardpool somehow became aware of the imminent sale of the data, or if the sale of that data occurred at the very beginning on February and Cardpool started suffering from chargebacks almost immediately, so they closed operations before things snowballed.
Another possibility is that in the months preceding the sale the hacker themselves redeemed a number of the gift cards. This could’ve set alarm bells ringing at Cardpool and might have alerted them to the possibility that they’d been hacked at some point. My understanding is that Cardpool knew they’d been suffering from a large amount of fraud, but whether that was linked to this hack or just fraud in general is unclear.
Either way, this is bad news for anyone who’d bought gift cards from Cardpool and hadn’t redeemed the cards yet. If you fall into that category, go and check the value of your cards now and, if you’re lucky enough to still have any value left on them, be sure to redeem them immediately. Also be sure to keep an eye out for unexpected charges on any payment cards you used to buy gift cards from Cardpool back in the day.