Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

New York: AG agrees $300,000 settlement with Sports Warehouse for data breach

On May 25, 2023, the New York Attorney General (AG) published Assurance of Discontinuance No. 23-022, in which it came to a settlement of $300,000 with Sports Warehouse Inc., d/b/a Tennis Warehouse, LLC; Wilderness Sports Warehouse, LLC, d/b/a Tackle Warehouse; Skate Warehouse, LLC; and Running Warehouse, LLC (Sports Warehouse), for violation of §63(12) of the Executive Law (the Executive Law) and §§899-aa and 899-bb of the General Business Law of New York (GBL), following an investigation.

Background to the settlement

The AG highlighted that, on October 15, 2021, Sports Warehouse was contacted by a fraud intelligence advisory service which alerted IT to the sale of customer payment card data on the dark web, which had been leaked by a third party through an attack on Sports Warehouse servers.

Findings of the AG

The AG found that the personal data leaked included card verification values, card-holder names, and billing addresses. Further, the AG noted that the card information of around 1,813,224 consumers, including 101,558 New York State residents, and the login credentials of 1,180,939 consumers, including 82,757 New York State residents, had been leaked by the third party. The AG noted that Sports Warehouse only used single-factor authentication for access to relevant servers containing consumer card data and personal data, and that such data was stored in plain text and was not encrypted. Equally, the AG outlined that the third party had been able to move laterally between Sports Warehouse entities' servers and their e-commerce servers, owing to the use of shared passwords and a lack of complete segmentation. Therefore, the AG found Sports Warehouse to have violated §63(12) of the Executive Law and §§899-aa and 899-bb of the GBL.

Outcomes

As a result of the abovementioned violations, the AG stated that Sports Warehouse must, among other things:

  • maintain a comprehensive information security program that must:
    • assess and document not less than annually, internal and external risks to the security, integrity, and confidentiality of customer private information;
    • design, implement, and maintain reasonable administrative, technical, and physical safeguards to control internal and external risks; and
    • select service providers capable of reasonably safeguarding customer private information, contractually requiring service providers to implement and maintain appropriate safeguards to protect customer private information;
  • appoint a qualified employee to be responsible for implementing, maintaining, and monitoring the information security program with credentials, background, and expertise in information security;
  • encrypt private information collected, used, stored, or transmitted;
  • establish, and, thereafter, maintain appropriate password policies and procedures for customer accounts;
  • develop, implement, and maintain a penetration testing program designed to identify, assess, and remediate security vulnerabilities;
  • request, collect, use, or store private information only to the extent reasonably necessary to accomplish the intended legitimate business purpose; and
  • use reasonable efforts to permanently and securely delete or otherwise dispose of private information when there is no current or foreseeable business or legal purpose. 

Finally, the AG reached a settlement with Sports Warehouse for $300,000.

You can read the press release here and the Assurance of Discontinuance here

Feedback