MarineMax, self-described as the world’s largest recreational boat and yacht retailer, is notifying over 123,000 individuals whose personal information was stolen in a March security breach claimed by the Rhysida ransomware gang.
The company operates over 130 locations, including 83 dealerships and 66 marinas and storage facilities worldwide. Last year, it reported $2.39 billion in revenue and a $835.3 million gross profit.
While the Florida-based yacht seller initially stated in a March 12 SEC filing that no sensitive data was stored on the compromised systems, two weeks later, it said in a new 8-K filing that the attackers had stolen personal data belonging to an undisclosed number of people.
This Tuesday, in breach notification letters filed with the Offices of Maine’s and Vermont’s Attorneys General, MarineMax revealed that the data breach impacts 123,494 individuals. It added that the incident was detected on March 10, ten days after the attackers gained access to its network, and it only impacted a “limited” number of systems.
“Based on our investigation of the incident, we determined that an unauthorized third party obtained access to our environment from March 1, 2024 to March 10, 2024,” MarineMax said. “Our investigation recently concluded, and it was determined that the unauthorized third party acquired some of our data, which contained your personal information.”
MarineMax also told the Maine and Vermont Attorneys General that the attackers had stolen names or other personal identifier information. Still, it has yet to disclose what other personal information was exfiltrated from its systems and if the data breach impacted both customers and employees.
While the company didn’t attribute the breach to a specific threat group, and it’s still describing it as a “cybersecurity incident,” the Rhysida ransomware gang claimed the attack on March 20.
The cybercriminals have since published a 225GB archive of files allegedly stolen from MarineMax’s network on their dark web leak site, representing what they claim to be data they couldn’t sell.
Rhysida also published what appear to be screenshots of MarineMax’s financial documents, as well as customer or employee driver’s licenses and passports.
This relatively new ransomware-as-a-service (RaaS) operation surfaced almost one year ago, in May 2023, and quickly gained notoriety after breaching the Chilean Army (Ejército de Chile) and the British Library.
The U.S. Department of Health and Human Services (HHS) also linked its affiliates to attacks targeting healthcare organizations, while CISA and the FBI warned that the Rhysida ransomware gang is also behind many opportunistic attacks targeting organizations across various industry sectors.
For instance, it breached Sony subsidiary Insomniac Games in November and leaked 1,67 TB of documents on its leak site after the game studio refused to pay a $2 million ransom.
More recently, the Singing River Health System warned that almost 900,000 people had their data stolen in an August 2023 Rhysida ransomware attack.
