Fitness Depot Canada customers have been warned of a privacy breach resulting from a cyberattack targeting transactions involving its Ecommerce operations.
“Fitness Depot believes that the cyber criminals may have accessed and or removed personal information relating to certain individuals who made purchases for delivery and or who made purchases for in-store pick up at one of our retail locations,” the company said in an undated notification.
Customers with home delivery were affected Feb. 18 to April 27. Those using home delivery or store pickup between April 28 and May 22 may be affected, the company said.
“Fitness Depot has no knowledge that any of our customer information was compromised in any manner,” the notice said.
Office of the Privacy Commissioner of Canada spokesman Vito Pilieci said the office was notified of the breach.
“We have been in contact with the company and remain engaged. We have not opened a formal investigation at this time,” Pilieci said. “Due to confidentiality provisions under the Personal Information Protection and Electronic Documents Act, Canada's federal private sector privacy law, we cannot offer further details at this time.”
The company notice said it was notified of the breach May 22 and immediately shut down those operations.
Information accessed could have included names, addresses, email addresses, telephone numbers and credit card numbers used in transactions, the notice said.
The notice said preliminary findings indicate the company’s Internet Service Provider neglected to activate the anti-virus software on the company account.
“All of our transactions for E-commerce are through PayPal, Fitness Depot said. “It appears the cyber criminals were able to place a form on our Fitness Depot website that was misleading. Once our customers were redirected to this form the customer information was copied without the authorization or knowledge of Fitness Depot. This is how the personal information was captured and stolen.
The company has advised customers to monitor account statements and credit reports for unusual activity.
“If you feel that your personal customer information was in fact compromised in any way, please let us know immediately,” the notice said.
Fitness Depot has not placed a visible notice to customers on its website.
B.C.’s Office of the Information and Privacy Commissioner was not notified of the breach. Notifications are not mandatory, a situation the office has repeatedly ask for change on.
Fitness Depot Canada is headquartered in Cornwall, Ont. That province’s privacy commissioner referred queries to the federal commissioner.
“The Information and Privacy Commissioner of Ontario provides oversight for provincial access and privacy laws that apply to Ontario institutions such as ministries, colleges, hospitals and child and family service providers,” the Ontario commissioner’s office said in a statement.
The company did not respond to requests for comment.