Sock brand Bombas has agreed to pay $65,000 in penalties to resolve the New York Attorney General’s investigation of a 2014 data breach involving its online customers’ credit cards.
The New York AG’s office said that Bombas had discovered the breach in November 2014, which affected 39,561 consumers, but that it waited more than three years before it notified them in May 2018. Bombas did not admit to the NY AG’s allegations as part of the settlement.
“Bombas is pleased to close out this 2014 security incident,” a Bombas representative said in a statement Thursday. “As part of this resolution, Bombas did not admit to the NY AG’s findings, but we respect their position.”
The breach happened in September 2014 when “unauthorized intruder(s)” put malware code into the Magento e-commerce platform, a third-party e-commerce platform for Bombas, according to the NY AG. The breach allegedly exposed the names, addresses, and credit card information of the customers it affected, including nearly 3,000 New Yorkers.
Bombas also allegedly discovered the code in November that year, but only fixed it completely in February 2015.
“Our e-commerce protections and capacities have grown immensely over the last five years, and we remain committed to our customers’ security and satisfaction, as well as to our efforts to improve the community where we all work and live,” Bombas said in its statement.
As part of its settlement, Bombas has also agreed to thoroughly investigate any future data breaches involving sensitive personal information and to train its staff on investigating such breaches, the NY AG’s office said. For customers who may have been affected by the breach, Bombas has also offered two years of free credit monitoring, and identity theft restoration services, according to the office.
“New Yorkers deserve to shop with confidence and have faith that their personal information will be protected,” NY Attorney General Letitia James said in a statement. “This agreement will ensure better protection of New Yorkers’ personal information and notice of a breach in a timely manner.”