Bombas, LLC
The Organization experienced a security incident on its website due to malicious code in its third party e-commerce platform used for payment card purchases. The malicious code was initially identified and disabled from the website on January 15, 2015, and, after an inadvertent reintroduction, the malicious code was disabled on February 9, 2015, with remediation activities ending on February 25, 2015. In the course of a 2018 review of its privacy and cybersecurity program, the incident was revisited, but, given that the Organization has moved to a more mature and robust e-commerce platform, at this point there is no definitive way to identify which transactions were impacted. As the review of the incident has progressed, the Organization uncovered a copy of the code for the website at the relevant time, including the malicious code, and other evidence supporting the conclusion that the unauthorized access to personal information likely did not begin until September 27, 2014, at the earliest, and ran until, at the latest, the conclusion of remediation activities on February 25, 2015.