The popular U.S. retailer, Hot Topic, experienced a series of security breaches spanning 12 days in multiple phases during the first half of the year and is currently assessing the extent of the damage. The breaches from February 7 to June 21 were primarily due to automated attacks targeting the company’s online platform and mobile app, as revealed in a recent data breach notification report submitted in California.
All U.S. states, including the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, mandate businesses and, in many states, public agencies to inform individuals about security breaches involving personal data. Specifically, Washington’s breach notification law, established in 2005, dictates that entities must inform Washington residents about unauthorized access to their unsecured personal data within 45 days of identifying the breach. However, notification isn’t necessary if the breach doesn’t pose a significant risk to consumers. In cases where over 500 residents of Washington are affected, the involved entity must also provide a sample breach notification and the count of affected consumers to the Attorney General.
According to an email to Retail Dive, Exabeam’s Chief Information Security Officer, Tyler Farrar, highlighted the incident as a reminder of the pressing security issues of handling compromised credentials and differentiating between regular and suspicious activities.
In response to the breaches, Hot Topic has collaborated with cybersecurity professionals and fortified its online and mobile platforms with anti-bot software. Hot Topic operates over 600 outlets in shopping hubs throughout the U.S. and Canada.