Sports Warehouse, which owns the online sporting goods websites Tennis Warehouse, Running Warehouse, Skate Warehouse and Tackle Warehouse, will have to pay $300,000 in penalties to the State of New York and strengthen its cybersecurity measures after being found liable for failing to protect the personal data of 2.5 million consumers according to a statement from New York’s Office of the Attorney General (OAG).
According to the statement, Sports Warehouse had poor data security that left it vulnerable to a data breach in 2021 which compromised consumers’ private information, including credit card information and e-mail addresses for more than 136,000 New Yorkers.
“Sports Warehouse ran its companies without the adequate gear to protect online shoppers from cyberattacks, and today they are paying the price for compromising consumers’ digital privacy,” said New York Attorney General Letitia James. “When we buy tennis shoes or gym clothes online, we don’t expect thieves to run off with our credit card details or other personal information. New Yorkers deserve the peace of mind that their private information is secure, and we’ll continue to go after companies that violate this right and ensure they improve their data security practices.”
The OAG’s statement said that in 2021, an attacker gained access to Sports Warehouse’s subsidiary servers by attempting to identify login credentials through repeated trial and error. After gaining access to the companies’ servers, the attacker created several web shells to gain remote access to the Sports Warehouse companies’ commerce server, which contained payment card information for nearly every purchase made through their websites since 2002.
The investigation by the Sports Warehouse companies found that the attacker had also accessed certain customers’ e-mail addresses and passwords. In total, the attackers potentially accessed the non-expired payment card information of as many as 1,813,224 consumers, including 101,558 New Yorkers, and the login credentials of 1,180,939 consumers, including 82,757 New Yorkers.
OAG determined that the Sports Warehouse companies failed to adopt reasonable practices to protect consumers’ personal information. In particular, OAG found that Sports Warehouse companies had failed to encrypt consumers’ private information on its servers and adopt appropriate data deletion practices.
As a result of the agreement, the Sports Warehouse companies must pay the state $300,000 in penalties and adopt measures to protect better the personal information of consumers in the future, including:
- Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the companies’ leadership;
- Encrypting the private information the companies collect, use, store, and maintain;
- Strengthening the requirements for customers’ passwords and hashing all stored passwords;
- Developing a penetration testing program that includes regular testing of the companies’ network security; and,
- Updating its data collection and retention practices, including only collecting data to the minimum extent necessary to perform legitimate business functions and permanently deleting all such data when there is no longer a reasonably foreseeable business or legal purpose to retain such information.
The matter was handled by Assistant Attorney General Laura Mumm and Deputy Bureau Chief Clark Russell, with special assistance from Internet and Technology Analyst Nishaant Goswamy, of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger.
The Bureau of Internet and Technology is a part of the Division for Economic Justice, led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.