DICK'S Sporting Goods third-party hack exposes ‘confidential’ info


US retail giant DICK'S Sporting Goods has revealed that hackers were able to breach its internal networks last week and access confidential company information.

The sporting goods equipment and athletic apparel retail chain filed an 8-K breach notification with the US Securities and Exchange Commission (SEC) on Wednesday, stating that on August 21st, it discovered an unauthorized third party had accessed its information systems.

DICK'S said the hackers were able to infiltrate “portions of its systems containing certain confidential information,” although the company did not specify what that sensitive data was.

ADVERTISEMENT

The company said it had immediately activated its “cybersecurity response plan” once it became aware of the intrusion and “notified federal law enforcement.”

DICK'S said it is also working with “external cybersecurity experts” to investigate, isolate and contain the threat.”

DICK'S Sporting Goods SEC 8-K
Image by Cybernews.

Headquartered in Pennsylvania, DICK'S is considered one of the largest sporting goods retailer in the US, with over 850 retail locations across the country.

The company reaches more than 150 million customers – or, as DICK'S prefers to call them, athletes – both in-person and online, according to an Adobe Cloud profile.

Although the investigation is still “ongoing,” the filing did say business operations were not impacted and “the incident is not material.” The Fortune 500 company said it would amend the 8-K filing if anything changed.

Cybernews has reached out to DICK'S for further information and is awaiting a response.

DICK'S incident response helped contain damage

ADVERTISEMENT

Hackers targeting large retail chains have become increasingly common. Over the past twelve months, big names that have suffered attacks include major retailers such as VF Corp (Vans and Northface), Ace Hardware, and Rite Aid in the US and Shoezone in the UK.

Ilia Sotnikov, Security Strategist at the Texas-based security software firm Netwrix, said there are several key takeaways to be gleaned from DICK'S SEC filing.

First, even with solid security controls – from preventive to mitigation – it is impossible for any company to “guarantee protection from 100% of attacks,” said Sotnikov.

Second, Sotnikov explained that “organizations should not underestimate the importance of incident response plans,” pointing out that once unauthorized activity was detected, the DICK’S team was able to act quickly to contain the incident.

“As far as we can tell, DICK'S security team was able to detect the attacker's unauthorized activity before it could bring significant harm to the company or its clients,” they said.

“Even though some IT systems were taken offline, they were able to do so with a minimal impact on business operations,” Sotnikov added, which allowed DICK'S website and offline stores to continue without disruptions.

Finally, Sotnikov explained that it is “paramount” for an incident response plan to involve outside experts.

Internal security teams – although always the first respond to a cyber event – “will not have enough capacity to conduct an investigation while preventing and detecting potential new attacks,” Sotnikov said.

“A good understanding of who can and should be involved in the containment and investigation process, only helps to streamline the process and split responsibilities adequately,” they said.

In 2023, DICK'S Sporting Goods' annual revenue was listed as $12.4 billion, according to Statista.

ADVERTISEMENT

So far no cybercriminal group has come forward to claim a breach of the retail chain.