Popular sneaker buying and selling hub, StockX, is the latest victim of a cyber attack after hackers penetrated into the system and stole sensitive information of more than 6.8 million users worldwide.
The venture-backed firm had rolled out an email, earlier last week, asking users to change their password citing “software update”, but TechCrunch in a report pointed out that an unnamed seller contacted the media firm and claimed that information of more than 6.8 million users was stolen from StockX in a data breach in May, earlier this year. The unnamed seller also provided a sample of 1,000 records from the stolen stash following which TechCrunch reached out to customers with unique information about their record, to which every customer confirmed their data to be accurate and in tandem with what the seller had provided.
Following this, Zack Whittaker of TechCrunch tweeted, “@StockX was hacked, with more than 6.8 million user records stolen. Instead of telling its customers, the company told them that this week’s password reset was for “system updates” TechCrunch also went ahead and published their exclusive story. It was only after the hack went public that StockX bothered informing the customers of the hack stating: “We were alerted to suspicious activity potentially involving customer data. Upon learning of the suspicious activity, we immediately launched a comprehensive forensic investigation and engaged third-party data incident and forensic experts to assist.”
StockX also notified that their investigation is still underway, and the forensic data has suggested that customer data like name, email addresses, user names, passwords, shipping addresses and even purchase history of users were accessed by an “unknown third party.” It also stated that financial details were not affected by the breach.
StockX also tried to justify its action and added that “We want you to know that we took these steps proactively and immediately, because we had just begun our investigation and did not yet know the nature, extent, or scope of suspicious activity to which we had been alerted. Though we had incomplete information, we felt a responsibility to act immediately to protect our customers while our investigation continued—and we took steps to do so.”
StockX’s desperate attempt to cover the entire incident not only raises eyebrows on its morals and ethics but even on the legal front. Even though StockX is based out of Detroit, it has a global customer base and that also means the incident will be subject to the EU’s General Data Protection Regulation. Only time will tell how much StockX would be fined for the incident. For one, the reputation of the company is already soiled. While we speak, the user data is already being sold on the dark web for just about $300.
Protecting consumer data is one thing, but the method for communicating security breaches is something that enterprises need to learn. And the StockX incident should be a lesson for all consumer-facing enterprises.