An outside group may have accessed the online personal information of several Running Room customers in Canada over the past few months, the running shoe retailer said.
In an email to customers on Friday obtained by CTVNews.ca, the company said it “recently identified and resolved” a security incident involving “a subset of user data.” .
The retailer says an “unauthorized group” accessed and “stolen” a customer’s email, name, address, phone number and credit card information — including numbers, expiration dates and security codes CVV — from November 19, 2022 to January .18, 2023.
An email from Running Room said skimming may have captured the information of people who purchased something on the company’s Canadian website during that time period.
Email recipients are identified as having made a purchase during that time.
“In response to this finding, we immediately launched an investigation and have ruled out their ability to obtain this information,” the email read.
Running Room says it is working with law enforcement, the privacy commission and the Canadian Cybersecurity Center.
The company posted similar details of the data breach on its website, last updated on January 23.
It’s unclear exactly how many customers were affected by the data breach.
When asked about this, Running Room’s chief financial officer Roger Dang told CTVNews.ca in a statement that the vulnerability “affects only a small group” of their online shopping customers, all of whom have already be informed.
He added that Running Room became aware of the issue on January 18 and “located and removed the vulnerability immediately upon learning of unauthorized access.”
“We are currently working with police authorities and are cooperating with the investigation and are unable to comment further at this time,” the statement from Dang said.
The company said it believes the purpose behind the “stealing” of customer data is to resell credit card information.
“There is a possibility that the information could be used for social engineering, fraud, and personal misrepresentation,” the Running Room said.
Users should review their credit card statements and reset the password for their Running Room account, as well as any other online services that use the same password. The company also said it has also put in place “enhanced security measures”.
