Attorney General James secures $300,000 from online sporting goods retailer for failing to protect consumer privacy

NEW YORK – New York State Attorney General Letitia James has secured $300,000 from online sporting goods retailer SportsWarehouse Inc. (SportsWarehouse) for failing to protect the personal data of 2.5 million consumers. Sports Warehouse, which owns online sporting goods websites Tennis Warehouse, Running Warehouse, Skate Warehouse, and Tackle Warehouse, said that due to poor data security, in 2021, consumers’ personal information, including credit card information and email It remained vulnerable to data breaches where information was compromised. Addresses to over 136,000 New Yorkers. As a result of the agreement, Sports Warehouse will be required to pay the state a $300,000 fine and increase cybersecurity measures to protect consumers’ personal information.

“Sports Warehouse operates without the proper equipment to protect online shoppers from cyberattacks and is now paying the price of violating consumers’ digital privacy,” it said. Attorney General James. “When we buy tennis shoes or gym clothes online, we don’t expect thieves to get away with credit card information or other personal information. and we will continue to pursue companies that violate this right and will continue to improve our data security practices.”

In 2021, the attackers accessed a subsidiary server of Sports Warehouse in an apparent trial-and-error attempt to identify login credentials. After gaining access to the company’s servers, the attacker created several webshells for her remote access to the Sports Warehouse company’s Commerce his server. This server has contained payment card information for nearly every purchase made through the website since 2002. Research firm Sports Warehouse found that the attackers also accessed a particular customer’s email address and password. In total, the attacker accessed the unexpired payment card information of 1,813,224 of his consumers, including 101,558 New Yorkers, and the login credentials of 1,180,939 consumers, including 82,757 New Yorkers. There is a possibility.

The Office of the Attorney General (OAG) has determined that sports warehouse companies have not adopted reasonable practices to protect consumers’ personal information. Specifically, OAG found that the sports warehouse company had encrypted consumers’ personal information on its servers and had not employed proper data deletion practices.

As a result of today’s agreement, the sportswear company must pay the state a $300,000 fine and take steps to better protect consumers’ personal information going forward, including:

  • Maintain a comprehensive information security program that includes regular updates to keep pace with changing technology and security threats, and report security risks to company leaders.
  • Encrypt the personal information that companies collect, use, store and maintain.
  • Enforce requirements for hashing customer passwords and all stored passwords.
  • Develop a penetration testing program that includes regular testing of your company’s network security. and,
  • We collect data only to the minimum extent necessary to perform our legitimate business functions, and we do not retain such information if there is no longer a reasonably foreseeable business or legal purpose for such information. Update data collection and retention practices, including permanently deleting all data.

The action builds on Attorney General James’ continued commitment to protecting consumer personal information and holding companies accountable for poor cybersecurity. Earlier this week, Attorney General James recovered $550,000 from a healthcare management company for failing to protect patient privacy. Attorney General James last month released a comprehensive data security guide to help businesses better protect New Yorkers’ personal information. In December 2022, Attorney General James secured $200,000 from Herb Jones, a maker of school caps and gowns, for failing to protect consumer personal information. In October 2022, Attorney General James signed a $1.2 million contract with SHEIN and Zoetop owners for failing to adequately address a data breach that compromised the personal information of millions of consumers nationwide. announced that it has tied In June 2022, Attorney General James secured $400,000 from Wegmans and demanded Wegmans improve its data storage security after a data breach exposed consumer personal information. In March 2022, Attorney General James issued a consumer alert advising T-Mobile customers to take appropriate steps to protect personal information following a data breach.

The matter was handled by Assistant Attorney General Laura Mumm and Deputy Director Clark Russell, under the supervision of Director Kim Berger, with special assistance from Nishant Goswamy, Internet Technology Analyst at the Internet Technologies Office. The Internet Technologies Office is part of the Division of Economic Justice and is headed by Deputy Attorney General Chris D’Angelo and overseen by Deputy Attorney General Jennifer Levy.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *