Fitness Depot's online store hacked, customer information at risk

Fitness Depot's online store hacked, customer information at risk | Insurance Business

Fitness Depot

Fitness Depot, a Canadian retailer of fitness equipment, has revealed that its e-commerce platform was breached last month, compromising customer information.

In a letter sent to affected customers, Fitness Depot said that it believes the cyber criminals responsible for the attack may have accessed personal information of customers who made purchases for delivery or in-store pick up via the website. The information stolen may include customers’ names, addresses, email addresses, telephone numbers, and credit card numbers used in the transaction.

Bleeping Computer reported that the breach fits the description of a “Magecart” cyberattack, wherein malicious actors hack e-commerce stores and insert Java-based malware into the checkout pages. The malware will then skim checkout pages every time a customer makes a purchase, secretly copying the purchasing information and sending it back to the hackers.

The fitness equipment store said that the breach goes as far back as February 18, 2020. Customers with home delivery orders between February 18 and April 27, 2020 were impacted. Customers that ordered products for home delivery or ordered products for in-store pick-up between April 28 and May 22, 2020 were also affected.

Security firm Sansec revealed to Bleeping Computer that it first detected the payment card skimming malware in Fitness Depot’s online store between April 02 and May 17. Fitness Depot explained in its letter to the affected customers that it was informed of the potential breach on May 22.

The retailer’s letter also had some inconsistencies in information, according to the report. Fitness Depot claimed that based on its preliminary findings, its Internet Service Provider “neglected to activate the anti-virus software on [its] account.”

It is not an ISP’s job to provide anti-malware software.

And while Fitness Depot said that “personal information was captured and stolen,” the retailer also said in its letter that it “has no knowledge that any of our customer information was compromised in any manner,” the Bleeping Computer report stated.