Cyber Incident Victim: Backcountry Gear

BackcountryGear.com experienced two separate malware-driven payment card breaches within a three-month period in 2014. The first incident was publicly disclosed in July 2014, though specific dates and duration for that initial breach were not detailed in available notifications. The second breach occurred between October 11 and October 17, 2014, with the company discovering the compromise on October 17. Both incidents involved unauthorized access to customer payment systems through malware designed to harvest financial data. The October breach marked a recurrence of similar security issues despite the company having previously addressed and disclosed a prior intrusion earlier in the same year.

The malware deployed in the October incident captured customers' names, email addresses, billing and mailing addresses, order information, credit or debit card numbers, expiration dates, and security codes. BackcountryGear.com co-founder and owner Michael Monson directly notified affected consumers via letter regarding the October breach's scope and stolen data types. The company did not provide complimentary credit monitoring, identity protection services, or other compensatory measures to impacted individuals following either breach. The repeated compromise of identical categories of sensitive payment information across both incidents indicated persistent vulnerabilities in the company's e-commerce infrastructure. No evidence suggested public disclosure of whether the same threat actors or malware variants were responsible for both breaches, nor did available information specify the total number of affected customers across either event.