Online marketplaces Poshmark and StockX are dealing with consumer privacy issues.
Poshmark, No. 33 in the Internet Retailer Online Marketplaces Database, said Wednesday that it discovered data from some Poshmark users was acquired by an unauthorized third party.
The data acquired does not include any financial or physical address information, and Poshmark said it doesn’t believe that consumers’ passwords were compromised. “Regardless, we recommend that you change your password as a precaution and security best practice,” Poshmark wrote.
Poshmark says hackers may have gained access to shopper profile information such as username, first and last name, gender and city. Additionally, unauthorized users may have accessed user email addresses, user IDs and size preferences, as well as social media profile information collected when users connect social media accounts to Poshmark. Other compromised information may include consumers’ email and push notification preferences.
“We take the trust you have placed in us extremely seriously, and since learning of this incident, we’ve expanded our security measures even further,” Poshmark wrote. The marketplace said it has conducted an internal investigation, retained a leading security forensics firm and has “implemented enhanced security measures across all systems to help prevent this type of incident from happening in the future.”
Poshmark is an app-based online marketplace with more than 5 million sellers and 40 million registered users. Most Poshmark sellers are individuals rather than businesses, and about 70% of the merchandise sold is used. The company says its sellers make a sale nearly every second, and Poshmark has distributed more than $1 billion to sellers since its launch. Poshmark’s marketplace has 75 million listings, the company says. Since its launch in 2011, Poshmark has raised $153.0 million from investors, across five funding rounds, according to Crunchbase data.
Sneaker marketplace StockX reset customer passwords after being alerted to “suspicious activity,” the company says. “StockX was recently alerted to suspicious activity potentially involving our platform. Out of an abundance of caution, we implemented a security update and proactively asked our community to update their account passwords. We are continuing to investigate,” the company wrote in an email to Internet Retailer. “As a leading technology company, the privacy of our StockX customers is of paramount importance to us.”
The Detroit-based marketplace launched in 2016, billing itself as “the stock market of things” where consumers can both buy and sell new and pre-owned products similar to how commodities are traded on the stock market. StockX is No. 31 in in the Internet Retailer ranking of online marketplaces.
Research released last month by IBM Security and conducted by Ponemon Institute finds the cost of a data breach for retailers is $1.84 million. The average time for retailers to identify a breach is 228 days, and the average time to contain one is 83 days.
The study, in its 14th year, covers 17 industries and 16 countries. It also finds small businesses are hit especially hard by breaches. For example, in the study, companies with fewer than 500 employees suffered losses of more than $2.5 million on average, IBM says. That’s compared with $5.11 million for companies with more than 25,000 employees. That means smaller companies have higher breach costs relative to their size.
Overall, the cost of a data breach has risen 12% over the past five years and now costs $3.92 million on average globally, up from $3.5 million in 2014.
The United States posted the highest average cost of a data breach of all countries analyzed at $8.19 million, up from $7.91 million in 2018 and more than double the worldwide average. In the U.S., businesses pay on average $242 per lost record. The time for a U.S. business to identify and contain a breach is 245 days.
James Melton and April Berthene contributed to this story.