Cyber Incident Victim: Fitness Depot

Fitness Depot, Canada's largest specialty exercise equipment retailer with 40 stores nationwide and two in Texas, experienced a data breach affecting its e-commerce platform between February 18 and May 22, 2020. The company disclosed the incident in a June 2020 notification letter to customers, attributing the breach to a Magecart-style web skimming attack. Threat actors compromised the online store and injected malicious JavaScript into checkout pages, creating a fraudulent form that copied and exfiltrated customer information without authorization. Security firm Sansec detected payment card skimming scripts active on the platform between April 2 and May 17, 2020, confirming the e-skimming campaign's duration. The attackers harvested names, addresses, email addresses, telephone numbers, and credit card numbers from affected customers during checkout processes for both home delivery and in-store pickup orders.

The breach occurred in two distinct phases based on Fitness Depot's notification. From February 18 to April 27, only customers selecting home delivery were impacted. Between April 28 and May 22, the compromise expanded to include customers choosing either home delivery or in-store pickup. The company asserted its internet service provider failed to "activate the anti-virus software" on their account, though the article notes this explanation appears inconsistent with typical ISP responsibilities. Fitness Depot maintained no definitive evidence that stolen data was misused, while simultaneously warning customers to monitor credit reports and financial statements for fraud. The retailer did not disclose specific containment measures beyond removing the malicious form, and conflicting statements emerged between the confirmed data theft described in the notification and the company's public claim of having "no knowledge" of actual information compromise.