Sports Warehouse Fined $300,000 Over Payment Card Data TheftData Breach Exposed Nearly 20 Years of 'Indefinitely' Stored Payment Card Data
Online sports retailer Sports Warehouse has agreed to overhaul its security program and pay a $300,000 fine to New York state over a data breach that impacted over 1 million U.S. consumers. Investigators found that the retailer had been storing nearly 20 years' worth of payment card data on its e-commerce server in plaintext format, protected by only a password, which the attacker guessed.
See Also: 2022 Unit 42 Incident Response Report
The fine was imposed by the attorney general of New York, who cited Sports Warehouse's companies for failing to encrypt sensitive consumer information or delete it in a timely manner, in a settlement agreement signed by Sports Warehouse CEO Drew Munster.
Based in San Luis Obispo, California, Sports Warehouse operates a number of other legally distinct entities - including Tennis Warehouse, Wilderness Sports Warehouse, Tackle Warehouse, Skate Warehouse and Running Warehouse - as well as sites devoted to pickleball, racquetball and other sports. All share employees, IT infrastructure and policies and procedures.
The attorney general's office said the breach exposed most payment card data - customer names, addresses, card numbers, CVVs and expiration dates - that had been processed by Sports Warehouse from 2002 through 2021, with the company storing much of this data "indefinitely on their servers."
Sports Warehouse reports that the breach resulted in the exposure of non-expired payment cards for 1.8 million consumers, as well as login credentials for - comprising an email and password - for 1.2 million consumers.
Consumers "deserve the peace of mind that their private information is secure, and we'll continue to go after companies that violate this right and ensure they improve their data security practices," said Letitia James, attorney general of New York, in a statement.
Weekend Hack Attack
The attack appeared to be launched over a weekend - around Friday, Sept. 10, 2021 - and Sports Warehouse learned about the resulting data breach after receiving an alert from threat-intelligence firm Gemini Advisory on Oct. 15, 2021, according to the New York state investigation.
Gemini reported finding the payment card information being offered via at least one underground cybercrime site and sent an "unsolicited" alert to Sports Warehouse, which was not a customer, investigators reported. Homeland Security Investigations also notified the company about a breach having led to payment card data circulating, after which the retailer liaised with HSI and the U.S. Secret Service, according to the New York state settlement agreement.
In October 2021, Sports Warehouse's payment processor, Fiserv, told the company that a large credit card company had identified multiple suspected cases of stolen payment card data being used for fraudulent purposes, resulting in Mastercard requiring that the company launch a full investigation using an approved Payment Card Industry forensic investigator. The settlement agreement cites the investigator's findings.
The investigator found an attacker appear to have launched a brute-force attack against Sports Warehouse's server authentication and gained access to an online file server that was being protected by only a static password. After that, the attacker deployed web shells - malicious scripts designed to give the attacker additional functionality - and were able to copy them from the file server to the company's e-commerce server, where it processed and stored payment card data.
The server contained details of every order made with the company since 2002, as well as "most credit card data" for every transaction, with the payment card data being stored in plaintext, according to the settlement agreement. The investigator found that the attacker accessed and compressed the data into files, exfiltrated the files and then deleted them.
Security Program Overhaul
As part of the settlement agreement, Sports Warehouse has agreed to ensure that it implements - if it hasn't already done so - a number of improvements, including:
- Encrypting all private information it collects;
- Enforcing strong password-picking policies for users;
- Hashing and salting all stored passwords using "reasonable standards";
- Running anti-malware tools;
- Logging network activity and monitoring it for signs of suspicious behavior;
- Conducting regular penetration testing and vulnerability remediation reviews;
- Deleting personally identifiable or sensitive information in a timely manner unless there is a compelling business or legal reason to retain it.
Sports Warehouse has agreed to ensure those requirements are communicated to all management-level employees and to train them accordingly, as well as to appoint the equivalent of a chief information security officer to oversee its cybersecurity program.
The company has also promised to submit annual third-party assessments of its compliance with those security enhancements, as well as any PCI assessments it conducts, for the next three years.