Cyber Incident Victim: SportPursuit
Date:
Mar 2016
Location:
United Kingdom
Summary
SportPursuit experienced a data breach where hackers potentially accessed customer debit or credit card details due to a coding error during website changes that inadvertently stored payment information, contrary to the company's standard practices. The exposed data was encrypted, and CVV numbers were not compromised; upon discovery, the company deleted the stored details and addressed the vulnerability. Affected customers received notifications about the incident, though the organization faced criticism for vague communications regarding the breach's scope and impact. The incident was reported to the relevant data protection authority.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
SportPursuit, a UK-based online clothing retailer, experienced a cybersecurity incident around the Easter weekend of March 2016. The company publicly acknowledged the breach on March 27 when it notified customers via email about discovering evidence of "an attempted data hack" that potentially compromised payment information. Initial communications described the impact as limited to "a small number" of customers but provided no specific timeframe for the attack or comprehensive list of compromised data types. SportPursuit's vague disclosure stated that stolen information "may" have included debit or credit card details, while emphasizing it had contacted all potentially affected individuals. This ambiguity drew immediate criticism from customers on social media platforms, who accused the company of providing inadequate details and standardized responses to inquiries.
Following media scrutiny from The Register, SportPursuit confirmed it had notified the UK Information Commissioner's Office (ICO) about the breach. The company revealed that the incident stemmed from a coding error introduced during website modifications, which inadvertently caused the temporary storage of payment card details - a violation of their standard policy against retaining such data. According to their technical explanation, the erroneously stored card information was automatically encrypted using what they described as a "strong encryption algorithm," though no CVV numbers were ever retained. Upon discovering the storage issue, SportPursuit claimed to have immediately halted the unintended data retention and deleted all improperly stored payment details. The organization maintained that its site monitoring systems detected the breach promptly, enabling their technical team to "act quickly to resolve the issue," though they never publicly disclosed the exact attack dates, total affected customers, or whether non-payment data was accessed. This incident created contractual contradictions, as SportPursuit's terms and conditions previously stated they did not store card details, prompting customer concerns about compliance with PCI-DSS standards and the adequacy of their breach response.