Sock company Bombas fined by NYS for delayed notification of data breach

There’s a follow-up to the Bombas breach that was previously reported on this site. Laura Italiano reports:

Sock-maker Bombas has settled the most uncomfortable data-breach probe in the history of feet.

New York Attorney General Letitia James on Thursday announced that Bombas LLC — whose ads call their products “the most comfortable socks in the history of feet” — will pay $65,000 in fines for waiting three years to tell 39,561 online customers that their credit and debit card data had been breached.

Read more on the NY Post.

The press release from the NYS Attorney General’s Office is reproduced below:

NEW YORK- Attorney General Letitia James today announced that Bombas LLC has agreed to pay $65,000 in penalties and implement a number of data security policies to resolve an investigation by the New York Attorney General’s Office into the breach of customer payment cards where the company failed to provide notice of the breach to 39,561 consumers for over three years.

“New Yorkers deserve to shop with confidence and have faith that their personal information will be protected,” said Attorney General Letitia James. “This agreement will ensure better protection of New Yorkers’ personal information and notice of a breach in a timely manner. My office will continue our commitment to combat inadequate data security in New York.”

On September 27, 2014, an unauthorized intruder(s) inserted malicious software code designed to steal payment card information into the Magento ecommerce platform code supporting Bombas’ website. While Bombas discovered the code on November 29, 2014, it did not remediate it until January 15, 2015. Additionally, the code was mistakenly reintroduced into the website by Bombas a few weeks later. The code was  permanently deleted on February 8, 2015. It was determined that the intruders  accessed customer information including names, addresses, and credit card information of 39,561 payment card holders– roughly 2,971 of whom were New Yorkers.

Bombas LLC began notifying affected consumers in May 2018, more than three years after the company learned of the breach. Because Bombas did not notify the affected consumers and relevant New York agencies in an expedient time-period, and without unreasonable delay, it violated General Business Law §§ 899-aa. Bombas offered the potentially affected customers two years of free credit monitoring, fraud consultation, and identity theft restoration services through Kroll Inc., which is not required by law.

In addition to the monetary settlement, Bombas LLC has agreed to a number of injunctive provisions aimed at preventing similar breaches in the future, including conducting thorough and expeditious investigations of any future data security breaches involving private information and conducting trainings for all appropriate officers, managers, and employees of their roles and responsibilities in ensuring that Bombas LLC investigates suspected data breaches and complies with GBL § 899-aa.

This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kim Berger. The Internet and Technology Bureau is overseen by Chief Deputy Attorney General for Economic Justice Christopher D’Angelo.

About the author: Dissent