Sock company fined for delayed notification about data breach

Letitia James, the Attorney General of New York, announced that Sock-maker Bombas LLC -- whose advertisements call their products as "the most comfortable socks in the history of feet" -- will pay fine of $65,000 for taking more than three years to notify the online customers (i.e. 39,561 customers) that their debit and credit card data was breached.

As per a press statement, the Attorney General of New York said that the online socks retailer also will "implement a number of data security policies" in order to ensure that the customer cards were safe, and any breaches in future are reported immediately. James added that the "New Yorkers deserve to shop with confidence and have faith that their personal information will be protected".

This Bombas LLC data breach has happened on September 27, 2014, after an unauthorized intruder(s) has inserted a malicious software code in Magento ecommerce platform code that was supporting the Bombas' website. This malicious software code was designed for stealing the payment card information.

While the code was discovered by Bombas on Nov. 29, 2014, it didn't fix this problem until Jan. 15, 2015. However, the code was again mistakenly reintroduced in the website by Sock-maker Bombas LLC after a few weeks. Finally, the code was deleted permanently on Feb. 8, 2015.

James said that "it was determined that the intruders accessed customer information including names, addresses, and credit card information of 39,561 payment card holders -- roughly 2,971 of whom were New Yorkers".

Bombas LLC started notifying the affected consumers in the month of May of year 2018, which is more than 3 years since the company came to know about the breach. Bombas LLC has offered the possibly affected customers free credit monitoring, identity theft restoration and fraud consultation services by Kroll Inc. for two years. However, as Bombas did not inform the affected consumers as well as relevant agencies of New York in a particular time-period, it violated the 899-AA of the General Business Law.

In addition to monetary settlement, the Bombas LLC agreed to several injunctive provisions that were aimed at stopping similar kind of breaches in future. That includes conducting thorough as well as expeditious investigations for any data security breaches in the future involving the private information; along with conducting trainings for the appropriate officers, employees, and managers of their responsibilities and roles in ensuring that the Bombas LLC investigates the suspected data breaches as well as complies with 899-AA of the General Business Law.

» SPAMfighter News - 6/25/2019