Cyber Incident Victim: Bombas

Bombas experienced a data breach affecting customers who made credit card purchases through its website between September 1, 2013, and February 9, 2015. The company initially relied on an external vendor for website development and management, along with a third-party e-commerce platform to process transactions. Malware embedded in the e-commerce platform's code was first identified and partially removed on January 15, 2015, with complete eradication occurring on February 9, 2015. Due to the extended timeframe of potential exposure—spanning over 17 months from the website's launch—Bombas could not definitively ascertain which specific transactions were compromised. As a precautionary measure, the company notified all approximately 41,000 customers who conducted credit card transactions during the entire period of possible malware presence. The breach notification letters explicitly stated the uncertainty regarding individual impact while confirming the window of vulnerability.

Following the malware removal in February 2015, Bombas migrated its website operations to a different service provider and ultimately implemented a new e-commerce platform. The company submitted breach documentation to state authorities including Oregon and California, with California's notification dated May 21, 2018. This disclosure occurred more than three years after the final malware eradication, creating a significant gap between incident resolution and consumer notification. DataBreaches.net contacted Bombas seeking clarification about the delay but received no immediate response. No additional details regarding forensic findings, attacker attribution, or specific data exfiltration methods were disclosed in the available notification materials or public statements. The breach scope remained confined to credit card information processed through the compromised e-commerce system during the defined operational period.