New York Attorney General Letitia James has fined an online sports retailer with failing to protect its customers.
On Thursday, James said Sports Warehouse, an online sporting goods retailer that owns the websites Tennis Warehouse, Running Warehouse, Skate Warehouse and Tackle Warehouse, must pay the state $300,000 in penalties for poor data security that compromised some 2 million customers and 100,000-plus New Yorkers.
The company’s poor security led to a data breach in 2021 that compromised consumers’ private information, including credit card details and email addresses for more than 136,000 New Yorkers.
As a result of this agreement, Sports Warehouse must pay $300,000 in penalties to the state and strengthen its cybersecurity measures to protect consumers’ private information going forward.
“Sports Warehouse ran its companies without the adequate gear to protect online shoppers from cyberattacks, and today they are paying the price for compromising consumers’ digital privacy,” said James. “When we buy tennis shoes or gym clothes online, we don’t expect thieves to run off with our credit card details or other personal information. New Yorkers deserve the peace of mind that their private information is secure, and we’ll continue to go after companies that violate this right and ensure they improve their data security practices.”
In 2021, an attacker gained access to Sports Warehouse’s subsidiary servers, which contained payment information for nearly every purchase made through its websites since 2002. The attacker also managed to obtain email addresses and passwords.
In total, the attackers potentially accessed the nonexpired payment card information of as many as 1.8 million consumers, including 101,558 New Yorkers, and the login credentials of 1.2 million consumers, including 82,757 New Yorkers, James said.
The Office of the Attorney General determined that the Sports Warehouse companies failed to adopt reasonable practices to its customers’ personal information by failing to encrypt consumers’ private information on its servers and adopt appropriate data deletion practices.
As a result of the agreement revealed Thursday, the Sports Warehouse companies must maintain a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the companies’ leadership; encrypt the private information the companies collect, use, store and maintain; strengthen the requirements for customers’ passwords and passwords; regularly test the companies’ security, and update the data collection and retention practices.
This is just the latest in James’ ongoing efforts to protect consumers’ personal information. In the past, her office has also fined Shein and Zoetop as well as Herff, a student cap and gown producer, Wegmans supermarkets and others.