And for Tuesday’s edition of “How Not to Handle a Reported Breach,” we give you….. (drum roll)…. Boomerang Rentals.
John Leyden of The Register provides a recap of what happened when customers started expressing concerns about fraudulent charges on cards they had on file with the video game rental service. Neil Bolt of PSU also provides details.
As of four hours ago, Boomerang tweeted:
UPDATE: We can reassure users that we are continuing with our investigations. The security of your experience… http://t.co/vQBbv6Rh3B
— Amelia@Boomerang (@boomeranggames) January 13, 2015
So were they compromised, or is this yet another case where people have re-used login credentials and the logins were stolen from another site? We’ll need to wait until Boomerang issues a more definitive statement. [Update 2: it’s not from re-used logins from other sites. See comments below this post from users.]
A DataBreaches.net reader who contacted us to alert us to this incident, noted:
I had a look at it yesterday – everything appears to run on one web server (also email, FTP etc). For example, payment details are taken on same server with their WordPress blog, which has an exploitable theme on it (they only pulled this yesterday, 4 days after the apparent breach).
Stay tuned, I guess….
Situation Update: Boomerang Rentals 13th January 2015
What happened
On Friday we were contacted by a customer who was concerned that a fraudulent charge had been attempted on his credit card, and he was worried that our system had been compromised. He quoted another person who had made a comment on Twitter of a similar issue.
What we did
We began an investigation as soon as additional concerns were raised. Credit card data is stored in a strongly encrypted format and not viewable to any internal staff, however, at that stage, we felt we should take the concerns seriously.Over the weekend, we noticed other people online reporting similar issues and we became increasingly concerned. So, based on the information available at the time and conscious of the concern, we made the decision on Sunday afternoon to take the site off line while we continued our investigations.
Where we are
By Monday morning, we had been contacted directly by a small number of additional customers. We contacted the fraud department of our merchant bank, but they knew of no issue. We also contacted our payment gateway provider and they also had no concerns. They are assisting us in a consultative capacity.
By this time we could see lots of people talking about this online, but only a few people had contacted us directly.
To date we have not found any evidence of a breach of our systems. We are continuing to investigate and continue to take this issue very seriously.
We have also made the decision to very quickly move over to a token method of payment which obviates the need to have encrypted data on our servers, to give our customers further reassurance.
We would not ever wish to be the source of customer card information being compromised, so are making this change urgently. This work will take about a week, and we have removed the card details in their encrypted form, from our on- line system, and are removing the facility to update or provide card details until the work is complete.
Subscriptions will be processed daily each weekday morning under further supervised controls. Once the new system is in place, we will be able to collect payments through the token system.
We will also investigate the possibility of introducing PayPal as a form of payment as well, to offer our customers further choice.
What next
First we will start to process incoming and outgoing rentals. Then, once we are satisfied that our investigations are complete, we will bring our website back on line so existing customers can see their rental lists. We apologise for the inconvenience caused to our customers while this work is undertaken. Once everything is running again, we will be back in touch and will include updates at that time.
Finally, we would like to re-emphasise that we have not found any evidence of a breach in our systems (our systems were regularly tested for vulnerabilities by a 3rd party specialising in this) but our Engineers and Technical Advisors continue to investigate.
We are aware of the interest and concern this situation has raised and care about our customers and our reputation greatly and are urging our customers to get in touch with us immediately if they have any concerns.
We will shortly be sending an email directly to each of our customers.
Telephone: 01604 654140
Email: [email protected]
Cool article. I’d love to see you please expand on the topic of how they’re demonstrating not to handle a breach, because I very much agree. But you guys can probably bring a knowledgeable perspective to it.
What they’ve done wrong, in my eyes, is to ultimately deny it has even happened, when the 233 comments on Reddit and an even greater number on Facebook beg to disagree. They still haven’t emailed customers to explain that there is at least a chance that they have been or are continuing to be defrauded by the hackers, and that users should check their bank accounts. And change their passwords on sites where they use the same password (particularly email and online banking as these have likely leaked out).
WRT your mentioning the hackers could be targeting customers whose passwords were leaked from another site and use the same one on Boomerang: I can’t speak for anyone else, but I checked and my password on Boomerang is a random string of characters, generated by LastPass uniquely for that site. I have had £50 of fraudulent transactions on the 7th, purchasing O2 topups when I am on a monthly contract with T-Mobile.
Hacks happen. The fact they’re not warning their users and just denying it is worrying and is more than likely what will put them under in the long run. I would have been happy to keep using them if they just provided paypal (I hate paypal..) but this bollocks they’ve been trying to convince us of is just not on.
The password I used was made up at the time I joined Boomerang and stored in my password manager; so it’s absolutely not this. I know of at least one other person in the same boat. If Boomerang were compromised, it absolutely was not via reused login credentials.
Thanks for confirming that.
My card has also been used, for 2 Vodafone top-ups and several O2 ones. It would have probably been more if I had not stumbled across this story by accident. Can’t believe they didn’t contact their customers immediately there was even a hint of trouble.
Wow, I’m sorry, Mark. This is exactly why I’m trying to pressure Boomerang into at least sending a warning email to its customers.
Something they told the press they would do two days ago, but as yet have failed to do.
In today’s update at http://www.databreaches.net/boomerang-still-not-telling-customers-whether-theyve-confirmed-a-security-breach/, you’ll see there’s still no confirmation or denial by Boomerang as to whether they’ve had a breach. And there is nothing on their home page to alert customers to be vigilant.