The State of New York fined online retailer Sports Warehouse after a massive data breach exposed information on more than a million US citizens.
Data breaches are common nowadays, often prompted by an unsecured database, employee negligence or another mundane reason. But the Sports Warehouse incident is noteworthy because the company had been collecting almost 20 years of credit card data from consumers, which it kept in plain text and with a simple password.
“Between approximately 2002 and 2021, the Sports Warehouse Entities processed consumers’ online credit card transactions through a credit card processor via the Sports Warehouse Websites,” reads the statement made by the Attorney General of the State of New York. “As a result, the Sports Warehouse Entities had access to consumers’ payment card information, much of which they stored indefinitely on their servers.”
Sports Warehouse and its many entities gathered credit card transaction data between 2002 and 2021. At the end of 2021, a fraud intelligence advisory firm contacted the retailer and informed it that customer payment card data had been posted on the dark web. The leaked information included Card Verification Values (“CVVs”), cardholder names and billing addresses.
Criminals deployed a brute force attack on Sports Warehouse’s servers on Sept. 10-11, 2021, and gained access to the admin page of the web server, which was only protected by a password. No other security was present. Making matters worse, the organization stored everything without encryption.
Attackers also gained access to specific customers’ login credentials. In total, criminals may have accessed the non-expired payment card information of 1,813,224 consumers, including 101,558 New Yorkers, and the login credentials of 1,180,939 consumers, including 82,757 New Yorkers.
Besides paying the $300,000 fine to the State of New York, the company has to encrypt all personal information collected. It also needs to begin implementing strong password policies, adopt anti-malware protections such as EDR solutions, and perform regular penetration testing of the network and systems.
Sports Warehouse also needs to delete information collected from users when there’s no current or foreseeable business or legal purpose to retain it.