[BreachExchange] Sock company Bombas fined over data breach

Destry Winant destry at riskbasedsecurity.com
Fri Jun 7 06:14:56 EDT 2019


https://nypost.com/2019/06/06/sock-company-bombas-fined-over-data-breach/

Sock-maker Bombas has settled the most uncomfortable data-breach probe
in the history of feet.

New York Attorney General Letitia James on Thursday announced that
Bombas LLC — whose ads call their products “the most comfortable socks
in the history of feet” — will pay $65,000 in fines for waiting three
years to tell 39,561 online customers that their credit and debit card
data had been breached.

The online socks retailer will also “implement a number of data
security policies” to ensure customer cards are safer, and any future
breaches are reported immediately, the AG said in a press statement.

“New Yorkers deserve to shop with confidence and have faith that their
personal information will be protected,” James said.

The data breach happened Sept. 27, 2014, when hackers inserted
card-data-stealing malware into the platform that supported the Bombas
website, James said.

Bombas discovered the hack on Nov. 29, 2014, but did not fix the
problem until Jan. 15, 2015, two weeks later. Adding insult to injury,
a few weeks after that, Bombas accidentally reintroduced the malware
into the website, the AG said.

The retailer — which says it donates a pair of socks to homeless
shelters for every pair bought — failed to permanently delete the bad
code until Feb. 8, 2015, the AG said.

And it didn’t tell consumers about the breach until May 2018, more
than three years after first learning of it, in violation of state
law.

Only at that point did Bombas offer consumers two years of free credit
monitoring and ID theft services as required by law.

“It was determined that the intruders accessed customer information
including names, addresses, and credit card information of 39,561
payment card holders — roughly 2,971 of whom were New Yorkers,” James
said.

The retailer said of the settlement: “Bombas is pleased to close out
this 2014 security incident. Our e-commerce protections and capacities
have grown immensely over the last five years, and we remain committed
to our customers’ security and satisfaction, as well as our efforts to
improve the community where we all work and live.”


More information about the BreachExchange mailing list