January 18, 2017

SwimOutlet.com Data Breach Stats

Yesterday, Tues Jan 17, I received a 🐌 snail mail “Re: Notice of Data Breach” letter from SwimOutlet dated Jan 12, 2017. I’m having a hard time confirming the validity of this letter on the Internet. Using phrases in the letter, I’ve found a single match PDF on justice.oregon.gov. Based on the PDF on justice.oregon.gov YogaOutlet.com shares the same infrastructure and was also affected. Assuming it is real, incredibly SwimOutlet.com and YogaOutlet.com have no information about this on this website and I have no emails from SwimOutlet.com on this issue.

Here are some statistics I’ve calculated based on when I received the letter:

204 days of credit card data may have been stolen
79 days since credit card processor reported unusual activity to SwimOutlet.com
79 days since “immediately began” “work[ing] with third-party forensic expert”
28 days to confirm may have compromised credit card data
22 days or more that the criminals were on the systems
45 days SwimOutlet.com waited to notify customers after confirmation
5 days more wasted in the time an email would have been received and snail mail was received.
100% chance that debit and credit card data was stored insecurely: cardholder’s name, address, phone number, email address, card number, expiration date, and CVV
2 pages of generic “remain vigilant” useless credit reporting bureaus reminding you how insufficient industry’s and government’s safeguards are.
1 unlisted phone number that if lucky is actually a Subway in Wilkesboro, NC
Zero information published online by SwimOutlet.com / YogaOutlet.com
F grade for response and communicate by SwimOutlet.com
0% chance I’ll trust these people with my payment information ever again

Here is the sample letter from justice.oregon.gov that seems to read verbatim to the letter I’ve received:

January 12, 2017

Re: Notice of Data Breach

Dear Sample A Sample:

For nearly 15 years at SwimOutlet.com, our customer service and online shopping experience have been our company’s top priorities, so we were dismayed to learn in late November that we had been the victims of a sophisticated cyber-attack that may have affected the security of our customers’ payment information.

We are contacting you personally to provide you with clear information about the incident, steps we are taking in response and action you can take to protect against fraud should you feel it is appropriate.

We apologize for the inconvenience this may have caused and can assure you that we worked hard with top security experts to make our site as safe as possible from these cyber-criminals going forward.

What Happened? On October 31, 2016, we began investigating some unusual activity reported by our credit card processor. We immediately began to work with third-party forensic experts to investigate these reports and to identify any signs of compromise on our systems. On November 28, 2016, we received confirmation of a sophisticated cyberattack in which a hack into our system may have compromised some customers’ debit and credit card data used at http://www.swimoutlet.com between May 2, 2016-November 22, 2016. The information at risk as a result of this event includes the cardholder’s name, address, phone number, email address, card number, expiration date, and CVV.

Our Response: What We Are Doing. We take the security of our customers’ information extremely seriously and we have been working with independent forensic investigators to determine what happened, what information was affected and to implement additional procedures to further protect the security of customer debit and credit cards. We are also working with the Federal Bureau of Investigations to investigate this incident. The software from the criminals that attacked our system has been removed and you can safely use your payment card at http://www.swimoutlet.com.

What You Can Do. Please review the enclosed Privacy Safeguards Information for
additional information on how to better protect against identity theft and fraud. We
encourage you to remain vigilant against incidents of identity theft by reviewing your account statements regularly and monitoring your credit reports for suspicious activity. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit bureaus. To order one, visit http://www.annualcreditreport.com or call 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of their credit report.

For More Information. Should you have any questions about the content of this letter or ways you can better protect yourself from the possibility of identity theft, we encourage you to call the dedicated assistance line, staffed by professionals who are experienced in working through situations like this, at (877) 237-5190, Monday through Friday, 9 a.m. to 7 p.m. EST (closed on U.S. observed holidays) and provide reference number 1219010417 when calling.

The security of your information is incredibly important to us and we let down our
customers, which is why we wanted to contact you as promptly and with as much detail as we could. We are truly sorry about this. The incident will only make us work harder to be the best aquatics shop on the web and serve our customers as best as we possibly can.

Sincerely,

Avi Benaroya
Chief Executive Officer, SwimOutlet.com

11 comments

January 18, 2017 - 8:07 am anonymous

Isn’t it illegal that they saved our credit card information on file in their systems if we specifically did not authorize that during our purchase transaction process? How come SwimOutlet.com was saving everything down to the expiration date and CVV number? I was going to reach out to them but decided to research the breach online first, now I’m stumped as to what action I can take besides creating a “fraud alert” with the major credit bureaus, an action that I’m unclear will protect me, but definitely might be a nuisance in the future if I need to apply for credit anywhere. Did you end up filing a fraud alert, and did you get any response from your inquiry with SwimOutlet directly?

Reply
- January 18, 2017 - 10:18 am Lloyd Dewolf
  
  Wow, if SwimOutlet.com did save the credit card info when you didn’t authorize it, that does sound illegal.
  
  SwimOutlet.com has confirmed the validity of the letter: https://twitter.com/SwimOutlet/status/821582717590585344
  
  No, I’m not planning to take any action.
  
  Reply
January 18, 2017 - 10:24 am Lloyd Dewolf

Zella Ondrey shares on twitter as @zellaondrey:

No swimsuit is worth a #badcredit burn! Do NOT order #online from @SwimOutlet. #data #security #breach of #creditcard info! Buyer beware!

— Z.L.O. (@Bristol1730) January 17, 2017

Get the word out! Do NOT order #online from @SwimOutlet. #data #security breach and 6 week late notification = #customer nightmare!

— Z.L.O. (@Bristol1730) January 17, 2017

Reply
January 18, 2017 - 4:41 pm carkim

I got the same letter what is everyone going to do about this?

Reply
January 18, 2017 - 9:58 pm Lloyd Dewolf

https://twitter.com/KevBurson/status/821915624544890885

Reply
January 18, 2017 - 9:59 pm Lloyd Dewolf

Done with @SwimOutlet .com now I know why Credit Card had so much fraud. Worst breach ever. Days to clean up and P info forever exposed BAD!

— Oscar Thomas 🇺🇸🟦 (@AapOscar) January 19, 2017

Reply
- January 19, 2017 - 7:48 pm kimtawfik (@kimtawfik)
  
  Data Breach for me as well on SwimOutlet.com. Hundreds of dollars charged on debit and credit cards. Phone call and paperwork nightmare. Never shop with them again. I wonder if possible class action law suit will come of this?
  
  Reply
January 22, 2017 - 10:33 am lizhe05

My amex card was charged $500 twice from an online toy store. The latter was declined by the issuer and I was immediately notified when this happened. I was wondering how someone else could know my card information as I have been pretty careful with credit cards, until I received the postal mail mentioned above. Done with the website

Reply
February 10, 2017 - 7:48 am Anonymous

Apparently they also sold our home addresses to other companies without our approval as I’m now receiving junk mail from a company called Chewy.com (a pet products online store). SwimOutlet.com is a time suck for all the mess they created with my stolen info/credit card #, and they aren’t helpful when you make contact via phone/email.

Reply
February 15, 2017 - 7:02 am Steve McAleer (@SteveMcAleer1)

When I called Swim Outlet I spoke to a Supervisor. The Supervisor confirmed the stolen customer PII was not encrypted or tokenized. I asked why they are not providing credit protection to their customers when the data was not encrypted or tokenized. The Supervisor stated the PII data was about to be encrypted. I take this to mean they had parts of their payment processing that is not encrypted or PCI compliant or they later move (unencrypted) this PII data. Clear example of an organization that should outsource (i.e.; First Data, ..) their credit card processing to the professionals. They claim their working with law enforcement and have addressed the gaps in their business processes. Lost my business for life!

Reply
April 19, 2017 - 9:46 am Maria Cox

Amex card used at Swim Outlet just recently used several times. The problem is ongoing. There needs to be a change in storing so much information. One and done is the only way for this to get resolved. I do not have a problem reentering my information. I never authorized such comprehensive storage. This is a breach of contract in my estimation. I will not use this site again until there are assurances that the process of non permitted storage has stopped…. I may never return actually as there has been no ongoing effort to keep customers informed of S/O effforts to resolve/solve this problem.

Reply