Fitness Depot hit by data breach after ISP fails to ‘activate the antivirus’

June 25, 2020
Fitness Depot data breach brand protection website protection vulnerability compromised data website intrusion

The coronavirus has forced the people of this planet to adjust forcibly and make way to a new normal—closing businesses and facilitating the downfall of employment rates all over the globe. People have adapted to specific quarantine protocols and indoor routines to prevent any further spread of the virus, or in a more straightforward perspective, trying to stay alive. For some businesses, online selling has become the perfect avenue to reach out to customers to advertise and sell their products. Canada’s Fitness Depot, the country’s largest fitness equipment retailer, saw that people have been adjusting and working out indoors.

With almost half the population relying on the internet to order food, purchase fitness equipment, and all sorts of other merchandise to cope with and satisfy their indoor requirements. Fitness Depot stepped up and aggressively made sales via its online store. Their sales saw a massive jump in profits and have continued their progress despite the current pandemic.

Unfortunately for Fitness Depot, it seems all good things must come to an end, figuratively speaking. A recent discovery threw the company off balance. They were being hacked since February, and the actual data breach was seen and reported just last May, almost the end of the month too.

According to security researchers who did the initial investigation, the hackers planted malicious forms on the company’s official website, paving the way for their subsequent attacks. The injected forms went on to replicate their official website’s entire environment, including their registration, payment, and checkout pages. The attack led to Fitness Depot’s customers unknowingly providing their personal and account information on the website, without any sort of indication that the form is redirecting it to the hackers.

The security researchers said that the attack has all the makings of a Magecart-style intrusion. From accounts and credit card skimming up to the redirection process, these were all engineered to steal and collect personal information.

The entire stealth operation ran for over 3-months straight before the security researchers discovered it. Fitness Depot immediately shut its website down, including its primary network as the first-level precaution.

With this alarming development, Fitness Depot, together with the investigators, points their blame towards the ISP or Internet Service Provider. Their ISP failed to enable the antivirus, thereby allowing the intrusion altogether. The lapse remains to be debated by the experts as the researchers are still investigating, and what’s more important is to assess the damage against Fitness Depot and its customers.


Fitness Depot has already released a statement and immediately sent out notifications to its customers regarding the data breach.


Additional advisories for data protection was given to their clients to track and prevent any further incidences.

As of this writing, there is no concrete evidence that would indicate that the hackers have gone off with or exposed their customers’ personal and account information. Customers are advised to report any suspected indications of cyber or identity theft to the local authorities immediately.

About the author

Leave a Reply