- New York AG Letitia James settled with Sports Warehouse, Inc. and affiliated entities to resolve allegations that the online sporting goods retailer maintained poor data security practices that led to the compromise of personal information of over 136,000 New York consumers.
- According to AG James, a cyber attacker was able to gain access to Sports Warehouse’s servers through a brute-force attack. The attacker then utilized web shells to gain access to other Sports Warehouse servers containing consumer credit card data, which later appeared on the dark web. According to AG James, Sports Warehouse failed to encrypt consumers’ private information or adopt appropriate data deletion practices.
- Under the terms of the settlement, Sports Warehouse must pay $300,000 in penalties to the state, and improve its information security program to bolster encryption, strengthen password requirements, develop a regular penetration testing program, and revise data collection and retention practices, among other things.