Cyber Incident Victim: Running Room
Date:
Nov 2022
Location:
Canada
Summary
Running Room experienced a security breach where unauthorized actors accessed its Canadian online shop checkout to skim customer data, including names, addresses, phone numbers, email addresses, and credit card details (card numbers, expiration dates, and CVVs). The compromise affected individuals who made purchases during a two-month period, with attackers likely targeting the stolen information for resale and potential misuse in phishing or social engineering schemes. The company promptly addressed the vulnerability, implemented enhanced security measures, and collaborated with law enforcement and cybersecurity authorities to mitigate the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 19, 2022, unauthorized actors gained access to Running Room’s Canadian online shop checkout system, deploying skimming malware designed to capture customer payment and personal information during transactions. The compromise persisted undetected for approximately two months until January 18, 2023, when Running Room identified the breach and initiated an investigation. The skimming operation targeted customers who made purchases through the website during this period, exfiltrating email addresses, names, physical addresses, phone numbers, and complete credit card details—including card numbers, expiration dates, and CVV codes. Running Room confirmed the incident was limited to transactions processed between November 19, 2022, and January 18, 2023, with no evidence of broader system compromise beyond the checkout functionality. The attackers’ primary objective appeared to be harvesting financial data for resale, though the compromised personal information also created risks of phishing campaigns and social engineering attempts against affected individuals.
Upon discovery, Running Room immediately disabled the attackers’ access and removed the skimming mechanism from the checkout system. The organization implemented enhanced security measures to prevent recurrence but did not publicly disclose technical specifics of the vulnerability exploited. Running Room engaged law enforcement agencies, Canadian privacy regulators, and the Canadian Centre for Cyber Security to investigate the incident. Impacted customers—those who transacted during the two-month window—received direct notifications advising password resets for Running Room accounts and vigilance regarding suspicious financial activity. The company confirmed no operational disruptions to its services post-remediation and asserted that continued use of accounts was safe following the implemented security upgrades. Financial institutions were not explicitly noted as having received breached card data from Running Room, leaving monitoring responsibilities to individual cardholders.