Sports and Health/Fitness Retailers Find Themselves in the Cyber Security Firing Line


Posted on by Tony Kontzer

As cyber security breaches have become an unavoidable part of doing business in the 21st century, hackers have at times appeared to be working through various categories of companies one at a time.

Back in 2013 and 2014, it was big box retailers like Target and Home Depot who started getting the worst of it.

In 2015, a report from Websense (since renamed Forcepoint) indicated that financial services companies were attracting the bulk of the action. The following year, law firms became the focus, and by early 2017, according to a blog post from web security firm TitanHQ, the tide was shifting toward health care providers and government agencies.

Now, it appears that the bad guys have zeroed in on a new favored target: sports and health- or fitness-related retailers. Whether it’s the type of data these retailers possess or a perception that their security measures remain behind the times that's making them attractive targets isn't clear, but there's no denying they've become a popular focal point for hackers.

The current wave of these attacks started earlier this year, when Under Armour revealed that an unauthorized party accessed data belonging to 150 million users of its health and fitness app, MyFitnessPal, including user names, email addresses and passwords. The company said that financial data was not compromised, and that it doesn't collect or store government identifiers such as social security numbers and drivers licenses.

That said, the data that was breached is sufficient to wreak havoc on the millions of victims, and the size of the exposure makes it one worth learning as many lessons from as possible.

A few months later, athletic apparel maker Adidas reported that an unauthorized third party had accessed customer data. The company said it had no reason to believe that any customer's financial or fitness data had been accessed, and in a subsequent email exchange with the Los Angeles Times, a spokeswoman said the breach affected a "few million" customers.

Then, on the heels of Adidas' discovery, British specialty grocer Fortnum & Mason said that 23,000 customers who had filled out a survey or signed up for an online competition had their emails compromised by an unidentified third party. The 310-year-old retailer said that the survey and competition were created and organized by Typeform, a cloud-based provider of online surveys and forms that is doing a forensic analysis of the incident.

Just as in the Under Armor and Adidas breaches, Fortnum and Mason maintained that the affected customers' financial data had not been compromised, and that their "money and accounts are safe."

Also during this time, a security researcher found that popular fitness app PumpUp had been leaking users' personal data thanks to a backend server hosted on Amazon's cloud that had been left exposed without a password. The server was used to send messages between users, and the leak, which was discovered in May, exposed personal data ranging from email addresses, birthdates and user locations to workout goals and photos. Some unencrypted credit card data may have been exposed, as well.

While the incident was a leak and not an attack, the exposure of the data, combined with the possible exposure of financial data, earns PumpUp inclusion on any list of recently victimized companies in the sector.

That said, one theme that deserves extra attention here is the consistent insistence that financial data was not exposed. The fact that each of the recent breaches in this sector included this kind of damage control statement says much about the threat that breaches pose. Any time a retail organization is exposed in this way, its reputation is sullied.

That retailers so clearly feel they must address this element when a breach occurs is a reminder that the details of every one of our financial transactions are always potentially vulnerable. These transactions represent the most sacred part of the relationship between a company and its customers, the very foundation of the trust between the two. If customers don't feel their transactions with a retailer are safe, there's no relationship left to protect.

Sometimes the constant flow of retail breaches can make it seem like there's no way to stop attackers from getting at the data they want. But the truth, as consumer electronics publication TWICE recently pointed out, is that retailers too often are reactive in their approach to cyber security rather than proactive, often not realizing they're being attacked until it's too late.

Unless retailers get out in front of their cyber security challenges, the bad guys will just keep working through subsectors of the industry, picking on whoever is underprepared. And rest assured, they won't always be able to claim that no financial data was compromised.

Contributors
Tony Kontzer

, RSAC

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs