Puma Investigates Data Leak Allegations Involving More Than 2,30,000 Customers

A hacker forum allegedly contained the private data of over 230k Puma customers in Chile.

In January 2023, a hacker listed an 84MB dataset allegedly belonging to Puma for sale. According to Cybernews, “the leaked database included customers’ names and contact information, such as emails, telephone numbers, and billing and shipping addresses. It also contained details about their purchases – order numbers, payment methods, total monies paid, shipping costs, and discounts.”

According to the cybercriminals behind the dataset listing, it comes from Puma’s Chilean e-commerce website, but Cybernews was unable to verify this independently as of 3 February 2023.

Threat actors can launch targeted phishing attacks using Puma’s alleged data leak. Using the information found in this dump, they could send texts and emails pretending to be from Puma, and use valid order numbers and names. Additionally, they may be able to use this information in conjunction with partial credit card information that has been leaked previously to make purchases with the victim’s card, said a Cybernews researcher, Aras Nazarovas.

As a result of a ransomware attack on Kronos, one of Puma’s Human Resource management providers, Puma suffered a data breach in 2022. Kronos was breached by ransomware in December 2021, disrupting payroll processing and staff management.

As per Cybernews, Hackers gained access to employees’ personal data, including social security numbers, as a result of the massive attack. In the US, employees were left without salaries for weeks afterward.

Research by Cybernews shows that e-commerce websites are easy targets for cybercriminals, which is why leaks like these happen frequently. Increasingly, threat actors are trying to exploit such sites, so developers should ensure that security measures are implemented.