Sports Warehouse, an online sports retailer, has reached an agreement to revamp its security program and pay a $300,000 fine to the state of New York following a data breach that affected over 1 million U.S. consumers.
The breach was caused by the company’s failure to encrypt sensitive consumer information and its practice of storing payment card data in plaintext format, protected only by a guessed password. The attorney general of New York imposed the fine, citing Sports Warehouse for its inadequate security measures and failure to delete data in a timely manner.
The breach exposed a significant amount of payment card data, including customer names, addresses, card numbers, CVVs, and expiration dates, processed by Sports Warehouse from 2002 to 2021. The company stored much of this data indefinitely on its servers.
As a result of the breach, 1.8 million consumers had their non-expired payment cards exposed, and 1.2 million consumers had their login credentials compromised.
The attack occurred over a weekend in September 2021, and Sports Warehouse learned about it after receiving an alert from a threat-intelligence firm. Following the breach, the company collaborated with Homeland Security Investigations and the U.S. Secret Service.
A subsequent investigation revealed that the attacker gained access to an online file server through a brute-force attack, deployed malicious scripts, and copied payment card data from the file server to the company’s e-commerce server.
To address the security shortcomings, Sports Warehouse has agreed to implement various security enhancements, including encryption of private information, strong password policies, hashing and salting of stored passwords, anti-malware tools, network activity monitoring, regular vulnerability reviews, and timely deletion of sensitive information.
The company will communicate these requirements to its management-level employees, appoint a chief information security officer, and undergo third-party assessments of compliance for the next three years.
