Elite Supplements breach 30 Jan 2024

Elite Supplements Breach 30 Jan 2024

There isn’t a lot of information on this one, unfortunately. Elite Supplements announced on 30 Jan 2024 that their systems were breached, but that key customer data wasn’t lost as part of the breach.

Impact

Elite Supplements has stressed that the following customer data has not been breached:

  • Credit card data
  • Sensitive payment data
 
However, the following details have been:
  • Name
  • Shipping address
  • Email address
  • Phone number

Details

Elite Supplements uses Shopify for its online sales, so we can be confident the breach didn’t occur there. With over 100 physical stores in Australia, it’s likely to have been one of the usual culprits:

  • Someone didn’t secure the CRM/ERP
  • The customer database was dumped to unsecured storage (Excel) or shared with a third party.
 
We’ll never know, because the legislation doesn’t require companies to reveal how they were breached or if they were at fault.

Communication

Communication on this event is garbage. It’s a classic case of revealing as little as possible, committing to following up, then hoping it all goes away.

Elite Supplements has communicated with customers directly via email (see a copy below).

Unfortunately, under the current legislation, this is all they are legally obligated to do. Email notification allows a company to meet requirements while keeping the profile of the breach as low as possible. Most people won’t even open those emails.

By not having a public statement on their website or socials, they ensure google show their online properties in relation to the incident.

Here are some things they didn’t communicate:

  • Was it all of their online customers?
  • How many customers is that exactly?
  • What firm was engaged to identify any leaked data?
  • What has happened since their first email announcing the breach?
  • Did they ever find out what the threat actors wanted?
  • Was the stolen data made public?
 
There is the usual commitment about being sorry, and how this is their highest priority.

"Please be reassured that responding to this incident, and doing everything we can to protect our customers’ interests, is our highest priority at present. We will keep you informed as soon as we have new information to share"

Which would be a bit more convincing if they had communicated with their customers on their website or social media accounts. Strangely enough, their LinkedIn, Facebook, Instagram and YouTube accounts don’t mention the incident at all.

Opinion

Responses to cybersecurity breaches are typically poor. At best, companies / organisations will attempt to meet the minimum requirements of the federal and state legislation.

Those requirements are very low, but one of them is to notify customers of the breach should they be at risk of serious harm. It’s good to know that Elite Supplements was always going to inform customers of the breach, considering it is their legal requirement to do so.

"Our intention has been to verify that a breach has occurred, and to ascertain as much as we could about what data was accessed, before alerting customers."

The relevant Privacy Act legislation is:

take all reasonable steps to ensure that the assessment is completed within 30 days after the entity becomes aware as mentioned in paragraph

Division 3—Notification of eligible data breaches, Subdivision A—Suspected eligible data breaches, 26WH Assessment of suspected eligible data breach

The entity must comply with subsection (2) as soon as practicable after the completion of the preparation of the statement.

Division 3—Notification of eligible data breaches, Subdivision A—Suspected eligible data breaches, 26WL Entity must notify eligible data breach

Elite Supplements Email

Elite Supplements email statement can be found below.

"We are writing to let you know that in recent days Elite Supplements has been the subject of a cyber-attack, resulting in one or more unknown parties gaining access to some of our customer data.

We are taking the breach extremely seriously and have been working through the implications since we were first alerted to its possibility on 30/01/2024.

Our intention has been to verify that a breach has occurred, and to ascertain as much as we could about what data was accessed, before alerting customers. At this stage we can confirm the following:

No credit card or other sensitive payment data was compromised.

No passwords have been compromised.

The information accessed includes the name, shipping address, email address and phone number of online customers.

Our systems and the data we hold have been secured since the breach and we have engaged a cybersecurity firm specialising in dark-web monitoring to alert us to any leak of data.

Elite Supplements has been contacted by the group behind the cyber-attack but we cannot say with certainty what it plans to do with the information stolen. We will update you as soon as we know more.

We have begun notifying the relevant Government authorities and the company is complying fully with our reporting obligations under cybersecurity laws.

Elite Supplements deeply regrets this incident, which comes despite the considerable investment we have made in cybersecurity. We sincerely apologise for any inconvenience or distress the breach has caused our customers.

Given that access has been gained to some customer email addresses and phone numbers we urge you to be extra vigilant with communications that appear to be from Elite Supplements.

Please be reassured that responding to this incident, and doing everything we can to protect our customers’ interests, is our highest priority at present. We will keep you informed as soon as we have new information to share.

Yours sincerely"

Organisation

Elite Supplements

Official Statements

Twitter
LinkedIn