Cyber Incident Victim: Puma
Date:
Jan 2023
Location:
Chile
Summary
A multinational sportswear company experienced a data breach impacting over 230,000 customers on its Chilean e-commerce platform, with an 84MB dataset containing personal and transactional information listed for sale on a hacker forum. The exposed data included customer names, email addresses, phone numbers, billing and shipping details, purchase histories, and partial payment information. A threat actor attributed the leak to compromised employee accounts infected by malware, though the company stated it was investigating the incident's scope and origin. The attacker also provided purported administrative credentials for the e-commerce system, which were partially validated through password recovery functions but not independently confirmed by investigators.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around January 21, 2023, a threat actor listed a dataset allegedly containing information from Puma’s Chilean e-commerce website (cl.puma.com) for sale on a hacker forum. The advertisement claimed the 84MB CSV file contained private data of 237,013 customers, including fields such as customer email, telephone number, name, document identifier, purchase dates, billing and shipping addresses, payment method ("Medio de pago"), order totals, coupon codes, payment status ("Estado del Pago"), city, and region. The seller, described as having a reputable standing on the forum, specified the data originated from Puma’s Chilean operations and was obtained on the stated date. Cybersecurity publication Cybernews initially reported the listing but could not independently verify its authenticity at the time. Puma confirmed it was investigating a potential data leak affecting its Chilean e-commerce platform shortly after being contacted by media, acknowledging the incident but not yet confirming the specific scope or origin of the breach.
Further engagement by DataBreaches.net with the forum user revealed additional claims about the breach’s cause. The threat actor asserted that Puma employees "got caught by a virus," though they clarified they did not directly compromise the systems and instead purchased logs from suppliers. To substantiate their access, the seller provided purported administrative credentials for a Puma e-commerce panel login. While DataBreaches did not attempt unauthorized access, they verified the username’s validity by triggering a password reset prompt that requested an email address for recovery. This interaction suggested the threat actor possessed at least one legitimate administrative credential, though the extent of system access or data exfiltration methods remained unconfirmed. Puma did not publicly disclose technical details about the alleged malware infection, employee involvement, or the timeline of detection and containment efforts beyond its initial statement about the ongoing investigation. The incident exposed potential risks to Chilean customers’ personal and financial information, with the dataset’s contents indicating compromised transaction records and contact details spanning an unspecified period prior to January 21.