PrismRBS is a subsidiary of Nebraska Book Company that operates PrismWeb, a white-label e-commerce platform specifically designed for college and university campus bookstores. In April 2019, the platform was targeted by a threat actor designated Mirrorthief, who executed a classic Magecart-style supply chain skimming attack with broad downstream impact.

On April 14, 2019, Mirrorthief compromised PrismRBS infrastructure and injected a malicious JavaScript skimmer into the shared JavaScript libraries used by all PrismWeb-hosted storefronts. Because PrismWeb stores load JavaScript from a central shared repository, a single compromise of the library infected all 201 campus bookstore sites simultaneously — without any individual store being separately targeted.

The skimming script silently harvested payment data from customers checking out on any affected store between April 14 and April 26, 2019, when PrismRBS detected and removed the malicious code. Stolen data included credit and debit card numbers, expiration dates, card verification numbers (CVN), cardholder names, billing addresses, and phone numbers — sufficient for full card-not-present fraud.

Trend Micro researchers, who named the group Mirrorthief, analysed the skimmer and found it closely mirrored techniques used by other Magecart subgroups, including obfuscation methods and C2 exfiltration patterns. The skimmer encoded and transmitted harvested data to an attacker-controlled server.

The attack affected 201 online campus store sites serving 176 colleges and universities in the United States, plus 21 institutions in Canada. The University of Vermont Bookstore and numerous other institutions published breach notifications and FAQs for their communities.

PrismRBS stated it discovered the breach on April 26, 2019, immediately took action to remove the malicious code, launched an investigation, notified law enforcement, and contacted affected card brands and payment processors. Customers who made purchases on affected sites during the two-week window were advised to monitor statements and consider card replacement.

This incident is a textbook third-party supply chain skimming attack: the attacker compromised a centralised e-commerce infrastructure provider rather than individual stores, achieving massive scale with a single intrusion. It parallels other Magecart campaigns targeting shared e-commerce platforms such as Ticketmaster (via Inbenta) and British Airways.