Outdoor sporting goods store Backcountry Gear has sent out letters once again this year to inform customers of a data breach. The timeline goes a little something like this:

July 28 2014 – www.backcountrygear.com contacts customers about a payment information breach. Hackers installed malware and stole payment information. The company sent out a letter to those affected, claiming that their systems are now okay and that they “take the security of your information very seriously”.

October 22 2014 – www.backcountrygear.com contacts customers about a payment information breach. Hackers installed malware and stole payment information. The company sent out a letter to those affected, claiming that their systems are now okay and that they “take the security of your information very seriously”.

Either something is seriously wrong at Backcountry Gear or they just enjoy sending out letters.

Notice these two sentences from the first data breach’s letter:

Our site is now secure and measures have been implemented to prevent similar attempts in the future.

We take the security of your information very seriously.

Now let’s compare those two sentences to similar ones in the second data breach’s letter:

Our site is now secure and measures have been implemented to prevent similar attempts in the future.

We take the security of your information very seriously.

…huh.

It’s one thing leaking customer data, but it’s a bigger problem if the exact same thing happens again after saying that you’ve taken measures “to prevent similar attempts”.

I don’t know the ins and outs of Backcountry Gear and I’m not going to pretend I do, but if you hold customer data and promise to look after it, then do so.

Response, remediation and audit

I spoke to Alan Calder, founder and executive chairman of IT Governance, who said, “The situation at Backcountry Gear further illustrates the need for rapid incident response and complete remediation, with a post-remediation audit.”

Calder continued, “If cyber criminals succeed in stealing your data, then they will be come back for more. You’ll be a fool to have not shut the door behind them and checked the locks”

If shutting the door and regulary checking the lock is something you’d like to implement into your organisation, then you’ll be interested in this month’s special offer: book IT Governance’s Combined Infrastructure and Web Application Penetration Test in November and get an email phishing campaign to test for staff awareness absolutely free. Click for more information >>