StockX had previously issued another statement on its website, and that has been updated to reflect the contents of yesterday’s email. In the email, CEO Scott Cutler wrote, “We take the trust you place in us very seriously, and this is not the kind of experience we want for our community.”
He added, “On July 26, 2019, StockX was alerted to suspicious activity potentially involving customer data. We immediately launched a forensic investigation and engaged experienced third-party experts to assist.
“As our investigation continued, forensic evidence revealed that an unknown third party had been able to gain unauthorized access to certain customer data from our cloud environment on or around May 14, 2019.”
As to what information was involved, Cutler revealed that names, email addresses, addresses, usernames, hashed passwords, and purchase histories might have been affected. “There is no evidence to date to suggest that any of your financial or payment information has been affected,” he added.
In addition to outlining exactly what steps StockX is taking following the data breach, Cutler revealed that the company had contacted law enforcement and is working with them to catch the perpetrator. StockX is also offering everyone free fraud detection and identity theft protection for 12 months. The deadline to enroll is November 8.
Read the statement in full below:
Dear StockX Customer,
I wanted to reach out personally to follow up on the email you received from us on August 3, 2019 and to provide you with additional information about the data security incident we recently discovered.
First, let me say how much we regret that you are dealing with this issue at all. We take the trust you place in us very seriously, and this is not the kind of experience we want for our community.
While we have worked to do everything we could to best protect our customers, when we first communicated with our customers we did not have much information, which unfortunately is a frustrating reality of data incidents. I hope the facts below will provide better clarity into the timeline and our actions, but regardless, I do want to deeply apologize for any confusion. When we were first alerted to suspicious activity, we focused on identifying and taking proactive measures to protect the StockX community, which included a system-wide update and password reset. We also engaged third-party experts to investigate the suspicious activity to determine what happened and how serious it was. I am proud of our team for focusing on protecting the customer first, and I apologize for any ambiguity that resulted from our initial communication.
That is also why, even though we are still continuing to conduct a full investigation into the nature and scope of what happened, I want to send this notification now. I hope this will provide you with additional facts about the incident, steps we took in response to protect you, and measures we are taking to remediate any potential effects of this suspicious activity. I also want to assure you that we have contacted, and are working with, law enforcement to hold these illicit actors responsible, and have notified, or are notifying, appropriate regulators of the incident.
Please know how important you are to this community, and that your privacy and security are a top priority for us. Below you will find additional information about the incident and guidance on steps you can take to further protect yourself, as well as an offer from us for 12 months of free fraud detection and identity theft protection for added peace of mind. We stand ready to answer questions you may have.
On July 26, 2019, StockX was alerted to suspicious activity potentially involving customer data. We immediately launched a forensic investigation and engaged experienced third-party experts to assist. During this first week, while our forensic investigation into the suspicious activity was underway, we took proactive and precautionary measures to protect our customers. As described in greater detail in the “what are we doing” section below, we deployed a system-wide update, implemented a full password reset of all customer passwords for all StockX accounts, and on the morning of August 1, 2019 sent customers an email alerting them to the systems update and password reset.
As our investigation continued, forensic evidence revealed that an unknown third party had been able to gain unauthorized access to certain customer data from our cloud environment on or around May 14, 2019. We worked swiftly to issue an email update of the matter to our customers and are now making this notification to further apprise you of additional facts from our investigation.
As part of our efforts to catch the perpetrator, we have contacted law enforcement and have been working with them in their investigation of the incident. Our investigation into the nature, extent, and scope of the incident remains ongoing, and we will update you with additional information as necessary.
From our investigation to date, the information affected may include your name, email address, address, username, hashed password, and purchase history.
As indicated in our prior communications, there is no evidence to date to suggest that any of your financial or payment information has been affected. That is because StockX does not store full payment card or financial data of its customers on its network servers or platform. Instead, any StockX payment card data is processed, stored, and hosted by a third-party payment processor, and not StockX. Based on our investigation to date, we have no evidence to suggest that our third-party payment processing partners or our third-party platform has been affected by this incident, nor do we have any evidence to suggest that any of the customer financial or payment information stored by that third-party has been affected.
As previously described, upon first learning of the suspicious activity, we immediately launched an internal forensic investigation into the reported activity. On the same day, we engaged third-party data incident and forensic experts to assist with the investigation.
While we were conducting our forensic investigation into the suspicious activity, out of an abundance of caution, we took proactive steps to implement infrastructure changes to mitigate and address any potential effects of the suspicious activity. These infrastructure changes included:
- a system-wide security update;
- a full password reset of all customer passwords, with an email to customers alerting them about resetting their passwords;
- high-frequency credential rotation on all servers and devices; and
- a lockdown of our cloud computing perimeter.
We also contacted law enforcement and have been working with them in their efforts to catch the perpetrator. While law enforcement was involved, this notice was not delayed at the request of a law enforcement agency or as a result of a law enforcement investigation.
Once the investigation revealed evidence to suggest customer data may have been accessed by an unknown third party, we sent you an email on August 3, 2019 to make you aware of the incident and provide you with the information we had at the time and guidance on the steps we were taking—and you could take—to protect your data.
As our investigation has continued, we are now providing you this notice to give you further information about the facts and how you can protect yourself and your personal information. Additionally, we have notified, or are notifying as necessary, any appropriate regulators in the United States, the European Union, and other impacted foreign jurisdictions.
We are offering you free fraud detection and identity theft protection. As a precautionary measure, we are offering you 12 months of free fraud detection and identity theft protection through ID Experts®, the data breach and recovery services expert, to provide you with their MyIDCare™ product. MyIDCare services include: CyberScan monitoring, fully managed id theft recovery services, a $1,000,000 insurance reimbursement policy, and 12 months of free credit monitoring. With this protection, MyIDCare will help you resolve issues if your identity is compromised. We encourage you to contact ID Experts with any questions and to enroll in the free MyIDCare services by calling (833) 300-6935 (if you are calling from the United States) or +1-971-317-8411 (if you are calling from outside of the United States) or by going to https://ide.myidcare.com/stockx. Please note the deadline to enroll is November 8, 2019.
Again, we take very seriously the security and privacy of your information, and want to make sure you have the information you need so that you can take steps to help protect your personal data. Because of the proactive mitigation and response steps we have taken, and the nature of the incident based on the forensic evidence we have today, we believe that the consequences of the incident and risk to individuals is low. Nevertheless, and even though the passwords affected were hashed, we recommend that if you use your StockX password for other accounts, you change those passwords as well.
As always, we encourage our customers to remain vigilant by reviewing their account statements and credit reports closely. So that you can take proactive steps to help protect your personal information, at the end of this letter we have provided you with additional information regarding steps you can take to further protect yourself. We encourage you to review that additional information.
Your trust is at the center of our business, and we want to make sure you get answers to any questions you may have. So, we have set up a dedicated call center to answer questions regarding this incident. If you have any questions about the incident or this notice please call (833) 300-6935 (if you are calling from the United States) or +1-971-317-8411 (if you are calling from outside of the United States).
We deeply regret the inconvenience or concern that this incident might cause you.