Cyber Incident Victim: In Sport
Date:
May 2020
Location:
Australia
Summary
An Australian activewear retailer experienced a ransomware attack compromising its head office server and computers, attributed to the Sodinokibi (REvil) group. The attackers exfiltrated data including merchandise cost and sales records before encrypting systems, later leaking portions of this information on the dark web as proof. While the hosting platform removed the initially posted files containing sensitive business documentation and directory screenshots, the stolen data remained disseminated among unauthorized parties. The breach occurred amid heightened cybercriminal activity targeting organizations during pandemic-related disruptions, with the intrusion detected in mid-May but leaving uncertainty regarding full data access extent.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 16, 2020, Australian activewear retailer In Sport detected a ransomware attack targeting its head office server and computers. The intrusion occurred amid heightened cybercrime activity during the COVID-19 pandemic. Attackers deployed ransomware that encrypted organizational systems, though the initial breach vector remained unspecified in available reports. Subsequent analysis attributed the attack to the Sodinokibi ransomware group, also known as REvil, based on their public claims and supporting evidence. As proof of the compromise, REvil uploaded stolen data to a dark web platform, including files detailing merchandise costs, sales figures, and proprietary business information. The leaked records primarily contained commercial data related to branded products sold by the retailer. The hosting platform later removed the exposed files, though REvil’s initial disclosure ensured broader circulation of the data across other dark web channels. Attackers supplemented the data dump with a screenshot displaying directory structures from In Sport’s systems, corroborating their unauthorized access.
In Sport notified affected customers via a formal letter disclosing the incident but explicitly stated investigators could not confirm which specific files hackers accessed during the intrusion. The ransomware’s encryption of systems compounded operational disruptions while stolen data exposure created secondary risks of misuse. REvil’s actions aligned with their double-extortion tactics, combining system lockdowns with threats to release sensitive information unless ransom demands were met. The incident exemplified escalating ransomware threats targeting retailers during pandemic-related operational shifts, though In Sport did not publicly disclose whether it paid a ransom or detailed system recovery timelines. Consequences included confirmed unauthorized access to commercial data, potential exposure of customer information implied by the breach notification, and reputational damage from public dark web disclosures. The company’s public communications focused on acknowledging the attack and forensic challenges without elaborating on remediation steps beyond customer notification.