MarineMax, the world’s largest leisure boat and yacht retailer, has revealed that it suffered a significant data breach in March, which resulted in the theft of personal information affecting over 123,000 individuals. The security incident was allegedly perpetrated by the Rhysida ransomware gang.
The corporation operates more than 130 locations globally, encompassing 83 dealerships and 66 marinas and storage facilities. In its final 12 months, the company recorded $2.39 billion in income and a substantial $835.3 million in gross revenue.
The yacht vendor’s initial statement to the SEC on March 12 denied any sensitive data was stored on compromised systems, but just two weeks later, it revealed in a subsequent filing that attackers had actually stolen personal data from an unspecified number of individuals.
MarineMax has disclosed a data breach affecting 123,494 individuals, revealing the incident through notifications filed with the offices of the Attorneys General. The breach was discovered on March 10, following an attacker’s unauthorized access to the system just 10 days earlier, with no impact beyond a specific subset of restricted tools.
“After conducting a thorough investigation into the incident, we have determined that an unauthorized third party gained access to our premises between March 1, 2024 and March 10, 2024,” MarineMax stated. “After conducting a thorough investigation, we have determined that an unauthorised third party gained access to some of our systems, resulting in the compromise of your personal data.”
MarineMax informed the Maine and Vermont Attorneys General that hackers had pilfered names and other personally identifiable information during the attack. Despite this, it remains unclear as to what specific personal data was compromised from its systems, and whether the information breach affected individual customers and employees.
While the corporation hasn’t explicitly linked the breach to a specific threat actor, it’s characterizing the incident as a “cybersecurity event,” the Rhysida ransomware group has taken credit for the attack, which occurred on March 20.
Cybercriminals have publicly disclosed a 225-gigabyte archive of allegedly pilfered data from MarineMax’s online community on their darknet leak website, claiming it is information they were unable to sell.
Rhysida publicly disclosed purported images of MarineMax’s financial documents, including customer and employee identification credentials such as driver’s licenses and passports.
Recently, a relatively new ransomware-as-a-service operation emerged in May 2022, quickly gaining attention after successfully targeting high-profile organizations such as the and.
The U.S. The US Department of Health and Human Services (HHS), along with its affiliates, has warned of attacks targeting healthcare organizations, while the Cybersecurity Infrastructure and Security Agency (CISA) and the Federal Bureau of Investigation (FBI) attribute many opportunistic assaults across various sectors to the Rhysida ransomware gang.
In November, hackers targeted Sony’s subsidiary Insomniac Games, breaching the sports studio’s systems after it refused to pay a demanded $2 million ransom.
Recently, Singing River Health System issued a warning following a devastating Rhysida ransomware attack in August 2023.
