Cyber Incident Victim: Tackle Warehouse
Date:
Oct 2021
Location:
United States of America
Summary
A cyberattack targeting four affiliated online sports retailers, including Tackle Warehouse, compromised sensitive customer data through an external system breach. Threat actors stole financial information encompassing credit and debit card numbers with CVV codes, full names, account passwords, and financial account details. The breach was discovered shortly after the incident, prompting an investigation that confirmed the theft of payment data for over 1.8 million individuals. The retailers notified affected customers approximately two months later, having reported the incident to payment card networks, law enforcement, and engaged digital forensics experts to bolster site security. The exact intrusion method remains unspecified, though the compromised data included highly sensitive credentials. No identity protection services were provided to impacted customers despite the severity of the exposed information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 1, 2021, threat actors breached four affiliated online sports retail websites—Tackle Warehouse (fishing gear), Running Warehouse (running apparel), Tennis Warehouse (tennis apparel), and Skate Warehouse (skateboarding gear)—compromising sensitive payment and personal data of 1,813,224 customers. The attackers exfiltrated full names, financial account numbers, credit card numbers with CVV codes, debit card numbers with CVV codes, and website account passwords. The websites first detected anomalous activity on October 15, 2021, triggering an internal investigation that concluded on November 29, 2021, confirming the theft scope and impacted individuals. No technical details regarding the intrusion vector or attacker methodology were disclosed publicly, though the breach notification letters classified it as an "external system breach (hacking)," suggesting unauthorized database access rather than payment page skimming. Affected customers received formal notification on December 16, 2021, approximately eleven weeks after initial detection and forty-six days after confirming data theft.
The compromised entities immediately reported the incident to payment card networks to flag potentially fraudulent transactions and engaged law enforcement agencies for criminal investigation. Tackle Warehouse and its affiliated sites retained a digital forensics firm to analyze the breach and implement enhanced security controls for future transactions, though specific technical remediation measures were not detailed in public communications. No complimentary identity theft protection or credit monitoring services were offered to victims despite the high sensitivity of stolen CVV codes and financial credentials. The breach exposed customers to elevated risks of payment card fraud, account takeover attempts, and credential-stuffing attacks due to the inclusion of plaintext passwords. Forensic investigators and website operators did not publicly attribute the attack to any specific threat actor group or disclose whether ransomware or extortion tactics accompanied the data theft.