StockX could be facing legal problems after it was breached by “an unknown third party”

Fashion and sneaker trading platform StockX could face some legal issues down the road after initially telling users to reset passwords due to “system updates” and later revealing it was due to a hack attack.

StockX sent out emails on Thursday August 1, informing customers that their passwords were reset due to “system updates”. However, tech publication Engadget kept prodding the company. This resulted in the company later confirming in a statement that it had taken action after “recently [being] alerted to suspicious activity involving our platform.”

A longer statement from StockX continued: “Upon learning of the suspicious activity, we immediately launched a comprehensive forensic investigation and engaged third-party data incident and forensic experts to assist.

“Though our investigation remains ongoing, forensic evidence to date suggests that an unknown third party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords and purchase history. From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted.”

It added that it had immediately taken precautions like issuing the password reset, high-frequency credential rotations on all servers, a lockdown on its cloud computing perimeter and a system-wide security update.

According to a report by TechCrunch, the breach could have compromised 6.8 million people. The publication acquired the figure from speaking with an anonymous data seller who claimed the records were stolen in May. Although, the seller reportedly declined to say how they obtained the data. TechCrunch was given a sample of 1,000 records and contacted the people listed. Everyone it contacted confirmed the data on them was correct.

StockX is now facing criticism for how it initially handled the breach, that it said the password reset was due to a system update and not because of a potential hack. Some social media users have for instance publicly sworn off the site.

But StockX could also be facing some legal issues because of the initial handling of the case, according to a report by The Fashion Law. However, as it is unclear just how big the breach was and what data was compromised it is challenging to say exactly which laws would be used – if any can be triggered at all.

The publication stated that the US legislation regarding how companies should deal with hack attacks differ from state to state. So the while the compromised data may not be cause for legal action in some states, it could be in some others.

The Fashion Law continued by explaining all 50 states state that individuals who have had their personal information compromised should be informed in a timely manner.

Although, it can be difficult to determine exactly what being informed in a timely manner means as breach investigations can take a lot of time before companies find things that should be disclosed. At this juncture, it is unclear the compromised data could be enough to trigger US laws.

The Fashion Law noted that the EU’s General Data Protection Regulation (GDPR) has a lower bar for what constitutes as personal data. GDPR applies to any company that has a presence in the EU or that processes EU citizens’ personal data. It is unclear if any EU citizens were affected by the StockX breach, according to The Fashion Law report.

According to GDPR, a breach must be reported to the relevant supervisory authority within 72 hours of becoming aware of the breach of provide good reasons as to why this was not done. Failing to comply with the EU’s privacy laws could land businesses a fine of up to four per cent of its global annual revenue or €20m, whichever is greater.

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.