Cyber Incident Victim: Louis Garneau Sports

On or around June 8, 2023, Louis Garneau Sports Inc., a company based at 30 rue des Grands-Lacs in Saint-Augustin-de-Desmaures, Québec, Canada, experienced an external system breach. The incident was characterized as a hacking event. The breach was not discovered until July 26, 2023, indicating a period of approximately seven weeks between the initial compromise and its detection. The unauthorized party gained access to and acquired sensitive personal information belonging to a total of 2,966 individuals. This compromised data included the name or another personal identifier of these individuals in combination with their financial account number or credit/debit card number. Furthermore, this financial data was acquired in combination with the security code, access code, password, or PIN for the account, significantly increasing the potential for misuse and fraud.

The breach impacted individuals across multiple jurisdictions, including 16 residents of the state of Maine. The company, categorized as an 'Other Commercial' organization, engaged external legal counsel to manage the incident response and notification process. The breach was reported to the Maine Attorney General's office by Shawn Ford, who held the title of Breach Coach and was affiliated with the firm Henri & Wolf Inc. This reporting was completed on July 28, 2023, just two days after the breach was discovered, in compliance with state data breach notification laws.

In response to the incident, Louis Garneau Sports Inc. opted to provide written notification to all affected individuals. The planned date for this consumer notification was set for August 28, 2023. This method of communication was chosen to formally inform the victims about the compromise of their sensitive personal and financial information. Recognizing the heightened risk posed by the specific type of data exfiltrated, the company also made the decision to offer identity theft protection services to those impacted by the breach. These services were provided through TransUnion's CyberScout program and were described as a Single Bureau monitoring service. The offering included a duration of 12 months of coverage, aimed at helping affected consumers detect and respond to potential misuse of their personal information.

The compromise of financial account details in conjunction with authentication codes such as PINs or security codes presented a direct and immediate threat of financial fraud to the affected individuals. This type of data combination allows malicious actors to potentially conduct unauthorized transactions and gain access to bank accounts or make fraudulent purchases using credit card information. The offering of credit monitoring and identity protection services was a direct measure to mitigate these specific risks, providing a mechanism for early detection of such fraudulent activities. The delay between the breach occurring and its discovery allowed the attackers a substantial window of opportunity to exploit the stolen data before any protective measures could be implemented for the victims. The company's response actions, including the engagement of specialized legal counsel specializing in breach response, indicate a structured approach to managing the legal and regulatory obligations stemming from the incident. The filing with the Maine Attorney General's office serves as a public record of the event and the steps taken to address its consequences for the affected Maine residents.