The customer records of 6.8 million customers of a venture capital-backed sneaker trading web portal StockX Incc have been stolen in a recent cybercriminal hacking attack.
All the specific details of the attack have yet to be revealed. What is known, is that TechCrunch was advised by an anonymous source that the hack took place in May. Following this, these records were available to be purchased for $300 via the dark web.
It appears as though the cyberattack was, at first, covered up by the company. A password reset was pushed out to customers as part of a system update on Thursday. However, by Sunday it was revealed that the company had suffered what is being referred to as a “data security issue.”
Among the data illegally obtained is customer identification, email addresses, shipping details, username, hashed password and purchase records. StockX has said that it believes no financial or payment information had been stolen as part of the attack.
As the company, which is located in Detroit, makes its platform available to customers based in the European Union it is subject to the EU’s General Data Protection Regulation which was introduced in 2018.
It seems certain that StockX will be subjected to a fine for not properly safeguarding customer private data and taking adequate steps to prevent hacking. Additionally, there is a requirement to disclose details of a hack with 72 hours of a GDPR breach being identified. It will come as no surprise to see the EU Privacy Commissioner focusing on the fact that StockX not only failed to disclose the hack but actively tried to cover it up at first.
On August 4 StockX published a blog post which stated: “We were alerted to suspicious activity potentially involving customer data. Upon learning of the suspicious activity, we immediately launched a comprehensive forensic investigation and engaged third-party data incident and forensic experts to assist. Though our investigation remains ongoing, forensic evidence to date suggests that an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history. From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted.”
It went on to say: “As we investigate, StockX will continue to take additional measures, as needed, to protect the privacy of our customers. In the meantime, out of an abundance of caution, we recommend that if you use your StockX password for other accounts, you change those passwords as well. Again, we take data security and privacy very seriously, and will continue to communicate with our customers and work hard to protect those who trust us with their shopping experience.”
GDPR can result in a financial penalty of 4% of global revenues of €20m – whichever figure is higher. StockX was last month valued at over $1 billion after a $110 million fundraise.