Online marketplace StockX has offered more details to customers after a data breach was discovered in late July. In a letter dated August 8, CEO Scott Cutler detailed the investigation of the breach and offered customers 12 months of free fraud and identity theft protection services.
The update explained that an unknown third party gained access to customer data that may include names, email and physical addresses, usernames and purchase histories. Hashed passwords, those stored via one-way encryption, were also compromised. At this time, StockX does not believe financial or payment information was included in the breach.
StockX customers first learned there was an issue on August 3. At that time, the company said it "discovered a data security issue" and was "alerted to suspicious activity potentially involving customer data." The company shared the infrastructure changes it had taken to stop further breach activity, including a system-wide security update, credential rotation on all servers and devices, increased cloud computing security, and resetting all customer passwords.
StockX's handling of this data breach may be marked as a major misstep for the recently minted $1 billion unicorn. The Detroit-based sneaker, handbag and apparel marketplace provides authentication services for buyers and sellers, and has quickly gained a healthy crew of celebrity investors.
It's not alone in its struggle to maintain customer security. Poshmark, CafePress and Capital One are just a few examples of companies who have told customers about data breaches in the past 30 days. But when StockX first asked customers to reset their passwords, it blamed the inconvenience on "system updates," according to a report from TechCrunch. StockX was shoring up its systems at the time, but initially downplayed the reason for the update.
It can be difficult for brands to navigate the post-breach landscape. Finding and stopping up hackers' entry points can take time, and retailers may not want to admit there's a problem until they're sure of the true impact of a breach. But their reputation is on the line, perhaps especially for younger brands with digitally native audiences. A data breach could very well damage the credibility of a fledgling retail startup, no matter how buzzworthy its investors are.