BigFish-LogoBig Fish, the Seattle-based game company acquired in December for up to $885 million by the owner of the Churchill Downs racetrack, says an “unknown criminal” installed malware on its online billing and payment pages to intercept customer payment information — potentially including name, address, card number, expiration date and security code.

In a statement provided to GeekWire, the company says the incident affected “a small percentage of our total customers.”

“Affected customers are limited to those who provided new payment information using a browser to make purchases on our website from December 24 until January 8,” the company says. “There is no indication that this issue had any impact on customers that purchased games for iOS and Android devices, through Facebook or who had entered their payment details prior to or after this time frame.”

The statement adds, “We know this kind of incident can create concern. We are committed to the protection of customers’ personal information and we deeply regret any difficulties or inconvenience this may cause our customers.”

The company reported the issue last week to the California Attorney General, along with a draft letter, dated Feb. 11, to Big Fish customers potentially affected by the incident.

“Your information may have been affected if you entered new payment details on our websites (rather than using a previously saved profile) for purchases between December 24, 2014, and January 8, 2015,” reads the letter from Ian Hurlock-Jones, Big Fish chief technology officer.

The letter continues, “We have taken the necessary steps to remove the malware and prevent it from being reinstalled. We have reported the incident to and are cooperating with law enforcement. “We have also informed the credit card reporting agencies and payment card networks about this incident so that they may take appropriate action regarding your card account.”

The company is offering one year of complimentary credit monitoring to affected customers.

Big Fish, known for its Big Fish Casino games, offers a wide variety of casual games across the web, PC, Mac, iOS, and Android.

Here’s the full statement from the company, as provided to GeekWire today.

Big Fish Games Inc. self-discovered evidence that we were the victim of a criminal cyber-security intrusion of ourwebsite. Upon learning of the potential security incident, we immediately took steps to remove the malware responsible for the issue. We hired a leading data security forensics firm to assist in our investigation of the incident to fully understand the event and to help us better assure data security going forward.

Based on our investigation, the incident resulted in the interception and diversion of payment information of a small percentage of our total customers. Affected customers are limited to those who provided new payment information using a browser to make purchases on our website from December 24 until January 8. There is no indication that this issue had any impact on customers that purchased games for iOS and Android devices, through Facebook or who had entered their payment details prior to or after this time frame.

We are notifying customers who were impacted by the incident. We are also providing a year of free enrollment in Experian’s ProtectMyID.® credit monitoring and resolution service where it’s available.

We know this kind of incident can create concern. We are committed to the protection of customers’ personal information and we deeply regret any difficulties or inconvenience this may cause our customers.

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline

Job Listings on GeekWork

Find more jobs on GeekWork. Employers, post a job here.