Cyber Incident Victim: Sport 2000
Date:
Apr 2024
Location:
France
Summary
A French sporting goods retailer experienced a cybersecurity breach involving an infostealer malware campaign, compromising personal data of over 4 million customers. Exfiltrated information included detailed customer profiles, purchase histories, segmentation data based on shopping behavior, and contact details, though financial credentials and passwords remained unaffected. The attack is attributed to the Epsilon cybercriminal group, known for francophone-targeted intrusions motivated by financial gain and notoriety. The company disabled loyalty account access, initiated forensic investigations, and reported the incident to national law enforcement and data protection authorities. Customers were advised to contact support services while the retailer emphasized ongoing efforts to mitigate risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 19, 2024, Sport 2000 France, a retailer specializing in sports equipment and apparel, suffered a cyberattack resulting in the theft of personal data belonging to 4,376,038 customers. The attackers employed an infostealer malware campaign to extract extensive customer information stored on the company’s systems. This type of malware operates covertly, scanning and exfiltrating personal data through vectors such as fraudulent emails, malicious file-sharing networks, or compromised downloads. In some cases, it captures real-time input via keylogging. The compromised dataset included postal addresses, civil identification details, data-sharing preferences, and highly specific commercial analytics such as purchase frequency, transaction amounts, product typologies (e.g., "family" or "leisure" categories), and segmentation based on purchasing behavior. A threat actor claiming responsibility advertised the sale of this dataset on dark web forums via a post on X.com, though no official claim was verified. Cybersecurity researcher Damien Bancal linked the attack to the French-speaking Epsilon group, citing their operational patterns and historical focus on Francophone targets. Epsilon, founded by individuals using the aliases "ChatNoir" and "Casquette," previously breached Shadow’s cloud gaming service in October 2023 and later attacked LDLC and BFMTV’s X.com accounts. The group’s motivations blend financial gain with reputational objectives, as evidenced by their public statements to Le Parisien acknowledging actions aimed at gaining notoriety.
Sport 2000 France confirmed the breach on its website, initiating standard response protocols including a national gendarmerie complaint and a mandatory notification to France’s data protection authority, CNIL. The company temporarily disabled access to customer loyalty accounts to prevent further exploitation and mobilized internal cybersecurity teams alongside external specialists to investigate the incident’s scope and implement containment measures. Explicit assurances were provided that no passwords or bank credentials enabling account access or payments were compromised. Store employees received instructions to assist affected customers during in-person transactions, while an online contact portal was activated for direct inquiries. The retailer emphasized its commitment to data protection and apologized for operational disruptions but did not disclose technical specifics regarding attack vectors or infrastructure compromises. No ransomware demands or negotiation attempts were mentioned in available sources, contrasting with Epsilon’s prior ransom negotiations during the LDLC incident. The attack occurred 15 days after a similar data theft targeting Intersport, another French sporting goods retailer, though no connection between the two incidents was confirmed.