Cyber Incident Victim: Camping World and Good Sam

On November 7, 2022, CWGS Group, operating as Camping World and Good Sam, reported a data breach to the Massachusetts Attorney General after confirming unauthorized access to sensitive consumer data. The company detected suspicious activity within its computer systems on February 9, 2022, prompting immediate system security measures and engagement of third-party data security specialists to investigate. The forensic investigation determined an unauthorized party accessed CWGS systems between January 14, 2022 and February 13, 2022, exposing multiple categories of personal information. Compromised data included names, dates of birth, Social Security numbers, driver’s license numbers, government ID numbers, tax ID numbers, financial account numbers, debit and credit card numbers, digital and electronic signatures, and usernames with passwords. CWGS completed its review of affected files on July 20, 2022, identifying specific individuals impacted by the breach. The company delayed public notification until November 7, 2022, at the request of law enforcement agencies involved in the investigation. Data breach notification letters were distributed to affected consumers on that date, detailing the compromised information types and potential risks of identity theft and fraud. The breach exposed customers of both Camping World, an Illinois-based RV and camping retailer with approximately $3 billion annual revenue, and Good Sam, a Colorado-based RV rental company generating $527 million annually.

The incident impacted customers across both brands under the CWGS Group holding company structure, though the exact number of affected individuals remains undisclosed. Exposed information enabled multiple forms of financial fraud and identity theft due to the inclusion of government-issued identifiers, financial credentials, and authentication data. CWGS implemented system security measures immediately upon detecting the breach on February 9, 2022, containing further unauthorized access. The investigation revealed a 30-day window of unauthorized system access prior to detection. Affected consumers received guidance on protective measures but faced inherent limitations in preventing misuse of stolen sensitive identifiers. The breach notification occurred nine months after initial detection and four months after completing the data review, with delays attributed to law enforcement coordination. Both companies continued operations without disclosed interruptions, maintaining their respective retail and rental services throughout the investigation period. The compromised data types created long-term risks for victims given the non-expiring nature of Social Security numbers and government identifiers. No specific attacker methodology or data exfiltration details were disclosed in the regulatory filing or public notice.