Cyber Incident Victim: Johnson Fitness and Wellness
Date:
Oct 2022
Location:
United States of America
Summary
A multinational fitness equipment retailer experienced a significant cyberattack by the DESORDEN Group, resulting in the theft of 71 GB of sensitive data involving suppliers, dealers, customers, and employees. The compromised information included internal operational documents, financial records, and personal details such as names, addresses, phone numbers, and dates of birth, while employee credentials were exposed in plaintext. Attackers circumvented security measures by pivoting through multiple servers over an extended period, maintaining persistent access to the network. Despite receiving evidence of the breach, the victim organization did not engage with the threat actors, prompting DESORDEN to pursue selling the exfiltrated corporate data and trade secrets externally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around October 9, 2022, the DESORDEN Group publicly announced a cyberattack against Johnson Fitness and Wellness, a U.S.-based exercise equipment retailer and subsidiary of Taiwan-listed Johnson Health Tech. The attackers claimed to have exfiltrated 71 gigabytes of data encompassing information related to suppliers, dealers, customers, and employees, alongside internal operational documents and financial records. While most sample files shared by DESORDEN on a hacking forum reportedly lacked personal information, exclusive samples provided to DataBreaches.net contained customer details including names, addresses, phone numbers, and dates of birth. A significant discovery within the leaked data was a "sysusers" file containing employee usernames, email addresses, and plaintext passwords—a security lapse DESORDEN described as unusual for a large corporation. The group stated the breach required extensive effort, as initial access to Johnson’s mainframe server was obstructed by antivirus software and firewalls blocking outgoing connections.
DESORDEN overcame these obstacles by compromising additional servers within the same network, eventually using one as a bridge to reach the mainframe and extract data. The group estimated they maintained access to Johnson’s systems for months prior to the announcement and claimed ongoing access at the time of reporting. DESORDEN attempted to communicate with Johnson Fitness via email, providing samples of stolen data and a video, but received no response despite evidence that Johnson viewed the communications and downloaded the provided materials. The group’s typical ransom negotiation process involves waiting for victim engagement before determining a demand amount; Johnson’s lack of response precluded any specific ransom demand. DESORDEN indicated no intention to escalate pressure through further communication, expressing confidence in monetizing the stolen corporate data, trade secrets, and personal information through alternative channels. The incident highlighted vulnerabilities in Johnson’s network architecture and credential storage practices, though the company did not publicly acknowledge the breach or disclose any containment or remediation actions.