Digital Privacy Industry News

Data Breach: Canada’s Fitness Depot Blames ISP for Security Incident

As Covid-19 spread across the world, opportunities to exercise outdoors became limited for most people. Workout routines quickly shifted online, and with gyms now closed, online sales of fitness equipment skyrocketed 55% between January and March 2020.

The newest addition to the data breach ‘wall of shame’ is none other than Fitness Depot, Canada’s largest fitness equipment retailer. Recently, the company started informing its customer database about a security incident that led to the exposure of customers’ names, home addresses, email addresses, telephone numbers, and numbers of credit cards used in transactions.

“Cyber criminals may have accessed and or removed personal information relating to certain individuals who made purchases for delivery and or who made purchases for in-store pick up at one of our retail locations,” Fitness Depot said in a data breach notification letter sent to affected shoppers.

The data breach, dated back to February 18, began with the injections of a malicious form on the company website, a clear sign of a Magecart-style attack. Web Skimming attacks are designed to steal payment and personal information.

“Cyber criminals were able to place a form on our Fitness Depot website that was misleading,” the company said. “Once our customers were redirected to this form the customer information was copied without the authorization or knowledge of Fitness Depot. This is how the personal information was captured and stolen.”

It took the company just over 3 months to discover the incident, as their notification clearly points out.

“On May 22nd, 2020 Fitness Depot was informed of a potential data breach on transactions involving our Ecommerce operations. Fitness Depot immediately shut down this service and launched an investigation,” the letter reads.

The vendor is now pointing fingers at its Internet Service Provider (ISP), who apparently “neglected to activate the anti-virus software” on their account. While their statement leaves plenty of room for debate, additional questions regarding the number of impacted customers and potential assistance for affected customers remain — no credit monitoring services were provided for shoppers. The company warns of potential fraud and identity theft incidents, and advises customers to review account statements regularly.

“As of this writing of this notification, Fitness Depot has no knowledge that any of our customer information was compromised in any manner,” the company said. “If you feel that your personal customer information was in fact compromised in any way, please let us know immediately.”

The retailer also mentioned that their security measures have now removed the cyber thieves’ access to their online systems, but said they will continue to monitor for any signs of unauthorized activity on their e-commerce platform.

As the world switched to even more online shopping, cybercriminals were not on holiday. They quickly exploited the uptick in e-commerce, deploying targeted attacks on multiple platforms to steal personal and financial information of customers. No stone was left unturned, and cybercrime continues to flourish in the underbelly created by the coronavirus pandemic.

About the author

Alina Bizga

Alina has been a part of the Bitdefender family for some years now, as her past role involved interfacing with end users and partners, advocating Bitdefender technologies and solutions. She is a history buff and passionate about cybersecurity and anything sci-fi. Her spare time is usually split between her two feline friends and traveling.