Online sporting goods retailer Sports Warehouse must pay the state of New York $300,000 in penalties for a data breach affecting 2.5 million consumers. According to the New York Attorney General, Sports Warehouse had poor data security that left it vulnerable to a data breach in 2021 which compromised consumers’ private information, including credit card information and email addresses for more than 136,000 New Yorkers.
In 2021, an attacker gained access to Sports Warehouse’s subsidiary servers, apparently by attempting to identify login credentials through repeated trial and error. After gaining access to the companies’ servers, the attacker created several web shells to gain remote access to the Sports Warehouse companies’ commerce server, which contained payment card information for nearly every purchase made through their websites since 2002. The investigation by the Sports Warehouse companies found that the attacker had also accessed certain customers’ email addresses and passwords. In total, the attackers potentially accessed the non-expired payment card information of as many as 1,813,224 consumers, including 101,558 New Yorkers, and the login credentials of 1,180,939 consumers, including 82,757 New Yorkers.