First StockX forced a password reset, telling customers it was due to a system update, now it turns out that not only were over 6 million user records exposed, but that data is for sale by hackers.
Online shoe reseller, StockX abruptly forced all users to reset their passwords a couple weeks ago saying it was necessary as part of a system update. It was later revealed that StockX had been made aware of “suspicious activity” which turned out to be a breach of 6.8 million records including usernames, full name, shoe size and what currency they use to make purchases.
Those records then ended up on the dark web and sold for $300.
Because StockX entered the European market late last year, they have had time to gather a large number of EU customers, making this a potentially large GDPR violation. With $700 million in revenue last year, the breach alone may cost the company over $11 million; this doesn’t count other fines and charges from the continued damage from the sale of the data on the dark web.
But probably one of the worst things about this is the fact StockX didn't actually disclose the breach; they swept it under the table with a 'system update" and hoped no one would find out. That's not going to make it any easier on them as the legal gears start to turn.
The National Law Review has a nice article on the legal implications of this breach:https://www.natlawreview.com/article/sorry-sir-our-data-breach-response-plan-out-stock
and TechCrunch did a remarkable job of investigative reporting here:https://techcrunch.com/2019/08/03/stockx-hacked-millions-records/
As of August 20, 2019 at least one lawsuit has been filed according to The Detroit News
And you can use the site "Have I Been Pwned" to find out if your username is in the database that was up for sale:https://haveibeenpwned.com/
See our Policy Management and Protection for ways Cloudentity builds security rules and CIAM Integration for how we connect identity to those rules to create a 360° security solution to help avoid exactly these kinds of problems