DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NY Attorney General James Secures $300,000 from Online Sporting Goods Retailers for Failing to Protect Consumers’ Personal Information

Posted on May 28, 2023 by Dissent

NEW YORK – New York Attorney General Letitia James secured $300,000 from Sports Warehouse Inc. (Sports Warehouse), an online sporting goods retailer for failing to protect 2.5 million consumers’ personal data. Sports Warehouse, which owns the online sporting goods websites Tennis Warehouse, Running Warehouse, Skate Warehouse, and Tackle Warehouse, had poor data security that left it vulnerable to a data breach in 2021 which compromised consumers’ private information, including credit card information and email addresses for more than 136,000 New Yorkers. As a result of this agreement, Sports Warehouse must pay $300,000 in penalties to the state and strengthen their cybersecurity measures to protect consumers’ private information.

“Sports Warehouse ran its companies without the adequate gear to protect online shoppers from cyberattacks, and today they are paying the price for compromising consumers’ digital privacy,” said Attorney General James. “When we buy tennis shoes or gym clothes online, we don’t expect thieves to run off with our credit card details or other personal information. New Yorkers deserve the peace of mind that their private information is secure, and we’ll continue to go after companies that violate this right and ensure they improve their data security practices.”

In 2021, an attacker gained access to Sports Warehouse’s subsidiary servers, apparently by attempting to identify login credentials through repeated trial and error. After gaining access to the companies’ servers, the attacker created several web shells to gain remote access to the Sports Warehouse companies’ commerce server, which contained payment card information for nearly every purchase made through their websites since 2002. The investigation by the Sports Warehouse companies found that the attacker had also accessed certain customers’ email addresses and passwords. In total, the attackers potentially accessed the non-expired payment card information of as many as 1,813,224 consumers, including 101,558 New Yorkers, and the login credentials of 1,180,939 consumers, including 82,757 New Yorkers.

The Office of the Attorney General (OAG) determined that the Sports Warehouse companies failed to adopt reasonable practices to protect consumers’ personal information. In particular, OAG found that Sports Warehouse companies failed to encrypt consumers’ private information on its servers and adopt appropriate data deletion practices.

As a result of today’s agreement, the Sports Warehouse companies must pay the state $300,000 in penalties and adopt measures to better protect the personal information of consumers going forward, including:

  • Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the companies’ leadership;
  • Encrypting the private information the companies collect, use, store, and maintain;
  • Strengthening the requirements for customers’ passwords and hash all stored passwords;
  • Developing a penetration testing program that includes regular testing of the companies’ network security; and,
  • Updating their data collection and retention practices, including only collecting data to the minimum extent necessary to perform legitimate business functions and permanently deleting all such data when there is no longer a reasonably foreseeable business or legal purpose to retain such information.

This action builds on Attorney General James’ ongoing efforts to protect consumers’ personal information and hold companies accountable for having poor cybersecurity. Earlier this week, Attorney General James recouped $550,000 from a medical management company for failing to protect the private information of patients. Last month, Attorney General James released a comprehensive data security guide to help businesses better protect New Yorkers’ personal information. In December 2022, Attorney General James secured $200,000 from a student cap and gown producer, Herff Jones, for failing to protect consumers’ personal information. In October 2022, Attorney General James announced a $1.2 million agreement with the owner of SHEIN and Zoetop for failing to properly handle a data breach that compromised the personal information of millions of consumers nationwide. In June 2022, Attorney General James secured $400,000 from Wegmans and required the retailer to improve data storage security after a data breach exposed consumers’ personal information. In March 2022, Attorney General James issued a consumer alert advising T-Mobile customers to take appropriate steps to protect their personal information following a data breach.

This matter was handled by Assistant Attorney General Laura Mumm and Deputy Bureau Chief Clark Russell, with special assistance from Internet and Technology Analyst Nishaant Goswamy, of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.

Source: NYS Attorney General

Category: Breach IncidentsHack

Post navigation

← NHS data breach: trusts shared patient details with Facebook without consent
New York county still dealing with ransomware eight months after attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation
  • Qilin Offers “Call a lawyer” Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.