Fitness Depot hit by data breach after ISP fails to ‘activate the antivirus’

Canadian retailer Fitness Depot announced customers that their personal and financial information was stolen following a breach that affected the company's e-commerce platform last month.

Fitness Depot is the largest specialty exercise equipment retailer in Canada, with 40 stores nationwide and two in the United States, Texas, in Dallas and Houston.

Signs of a Magecart attack

Based on the info in the breach notification letter the company sent to all potentially impacted individuals, the attack has all the signs of a textbook Magecart attack where the threat actors were able to compromise Fitness Depot's online store and inject a malicious form designed to harvest and exfiltrate customer information.

In such attacks, cybercrime groups known as Magecart groups hack e-commerce stores and inject malicious JavaScript-based scripts into their checkout pages as part of web skimming (aka e-skimming) attacks.

The attackers' end goal is to steal all the payment or personal information submitted by the compromised sites' customers and to collect it on remote servers under their control.

Not all customers were affected

In a letter sent to affected customers, the company says that the attackers may have accessed or stolen the information of clients "who made purchases for delivery and or who made purchases for in-store pick up at one of our retail locations," reads.

The information accessed or harvested by the attackers may have included the impacted customers' name, address, email address, telephone number, and credit card number.

The breach goes as far back as February 18, 2020, according to Fitness Depot's data breach notification and it started with a malicious form being injected within the online store.

"Once our customers where (sic) redirected to this form the customer information was copied without the authorization or knowledge of Fitness Depot," the company says. "This is how the personal information was captured and stolen."

Only customers with home delivery were impacted between February 18 and April 27, while from April 28 and May 22 "any customer that ordered product for Home delivery or ordered product for in-store pick-up could have been potentially affected."

The ISP gets blamed for the breach

Fitness Depot blames its internet service provider (ISP) for the data breach saying that "[b]ased on our preliminary findings it appears our Internet Service Provider [ISP] neglected to activate the anti-virus software on our account."

It is not yet known what Canadian fitness retailer refers to since it's not an ISP's job to protect its customers' e-commerce platforms with anti-malware solutions. 

BleepingComputer has reached out to Fitness Depot for more details but had not heard back at the time of this publication.

Additionally, while Fitness Depot said that "personal information was captured and stolen," the company also says that it "has no knowledge that any of our customer information was compromised in any manner."

Fitness Depot also advises customers to keep an eye out for identity theft or fraud attempts by monitoring their free credit reports and reviewing account statements.

Comments are closed.