Oregon Zoo is informing that visitors who purchased tickets online between December and June had their payment card information compromised.

Formerly Portland Zoo and Washington Park Zoo, Oregon Zoo is a 64-acre zoo owned by the regional Metro government. It is home to 1,800 animals from 232 species, including 28 on the endangered and threatened list.

It is the state’s largest zoo and one of the most popular tourist attractions, with more than 1.7 million visitors every year.

On June 26, Oregon Zoo discovered that its online ticketing service had been compromised. In response to the incident, the site was decommissioned, and an investigation was launched.

The investigation revealed that since December 2023, customer transactions had been redirected to a phishing page.

“On July 22, 2024, the investigation determined that an unauthorized actor redirected customers’ transactions from the third-party vendor who processed online ticket purchases, potentially obtaining payment card information from Dec. 20, 2023, to June 26, 2024,” reads the notice sent to impacted individuals.

The information that has been exposed as a result of this breach includes:

• Full name
• Payment card number
• CVV (card verification value)
• Expiration date

Cybercriminals can use the data above to make purchases online. The fraudsters typically sell the products at a much lower value to obtain cash. In many cases, money mule networks are used to hide the trace of the goods.

Oregon Zoo states that it reviewed all transactions for the six-month period to identify all potentially impacted individuals. In total, 117,815 people will receive the data breach notification from Oregon Zoo.

To protect customers from similar risks in the future, the establishment deployed a new, more secure payments portal.

Additionally, letter recipients are provided with a free-of-charge 12-month credit monitoring and identity protection services to mitigate the risk from the payment card data compromise.

People who purchased tickets for Oregon Zoo between December 2023 and June 2024 should treat unsolicited communications with caution, closely monitor their accounts’ activity, and report any suspicious transactions to their card issuer as soon as possible.

If possible, the safest action is to ask your bank to invalidate the existing payment card and issue a replacement.