Sock-maker Bombas has settled the most uncomfortable data-breach probe in the history of feet.
New York Attorney General Letitia James on Thursday announced that Bombas LLC — whose ads call their products “the most comfortable socks in the history of feet” — will pay $65,000 in fines for waiting three years to tell 39,561 online customers that their credit and debit card data had been breached.
The online socks retailer will also “implement a number of data security policies” to ensure customer cards are safer, and any future breaches are reported immediately, the AG said in a press statement.
“New Yorkers deserve to shop with confidence and have faith that their personal information will be protected,” James said.
Bombas discovered the hack on Nov. 29, 2014, but did not fix the problem until Jan. 15, 2015, two weeks later. Adding insult to injury, a few weeks after that, Bombas accidentally reintroduced the malware into the website, the AG said.
The retailer — which says it donates a pair of socks to homeless shelters for every pair bought — failed to permanently delete the bad code until Feb. 8, 2015, the AG said.
And it didn’t tell consumers about the breach until May 2018, more than three years after first learning of it, in violation of state law.
Only at that point did Bombas offer consumers two years of free credit monitoring and ID theft services as required by law.
“It was determined that the intruders accessed customer information including names, addresses, and credit card information of 39,561 payment card holders — roughly 2,971 of whom were New Yorkers,” James said.
The retailer said of the settlement: “Bombas is pleased to close out this 2014 security incident. Our e-commerce protections and capacities have grown immensely over the last five years, and we remain committed to our customers’ security and satisfaction, as well as our efforts to improve the community where we all work and live.”