GameStop isn't providing much official detail at this point, but it understands that the payment data may have been "offered for sale on a website." The company adds that it hired a "leading security firm" to investigate on the same day it caught word of the intrusion.

There are still quite a few unknowns, provided the breach report is accurate. How many people are affected? How did the perpetrators get in and operate for months? The one consolation is that GameStop is acting relatively quickly -- there have certainly been incidents where companies took their sweet time discovering that something was amiss.