On April 19, a user calling themself “ForceChange77” posted an inquiry on a Blowout Cards forum:
Not sure where to put this, but I ordered something from Blowout in January. Used a credit card that I rarely use – only other place I use is NYTimes subscription. Somebody got the card number and started charging all kinds of fraudulent charges. Has there been a problem recently?
Less than 12 hours later, another member, “bouncer,” posted:
I was just hit with a fraudulent charge last night too. I have alerts set up whenever a charge is made for .01 or more and I caught it within the hour. I just made a purchase from BO a few days ago.
Minutes later, “boo” chimed in:
I as well had some fraudulent charges that were caught yesterday by my CC company. I use it for everything (including BO) but maybe there is a pattern.
As others added their comments, “cruiserdaddy7” noted:
My Capital One card was hit with a $1,270 charge for a Hotel on booking.com
I used the card in March with Blowout as well. Its actually the only place I have used the credit card in the past 7 months(I checked).
Minutes later, he added:
Crap….My damn debit card Ive used with Blowout also got his for $349.98 at Walmart.com and is currently pending on my card statement.
I made a payment in March with that one to Blowout as well. This isn’t good.
By that afternoon, a forum administrator announced that they were looking into the situation. The next morning (April 21), they posted the following:
Attention customers,
Recently we were alerted to a potential security breach on our website. After researching this issue, our internet security team detected and patched an exploit that allowed unauthorized access to customers’ card information when checking out on Blowoutcards.com.
We are currently in contact with several leading third-party security firms to determine the cause of the breach and assure you that we are working with leading experts to harden our security to prevent any future incidents. Although the immediate issue has been resolved, our investigation into this matter is on-going and we will communicate additional information to you as it becomes available to us.
We sincerely apologize to anyone who has been inconvenienced as a result of this incident. We recommend that you remain vigilant for incidents of fraud by reviewing and monitoring your card account statements for unauthorized activity.
Sincerely,
The Blowout Cards Team
Contacted on Sunday, April 23, by someone who was concerned that customers were not being notified individually and quickly enough of what appeared to be a serious payment card breach, DataBreaches.net contacted Blowout Cards. Today, Thomas Fish replied that were in the process of writing an updated statement and would be emailing all potentially affected users today. In the interim, other customers continued to add their reports to the forum thread.
Here is the full text of today’s email to customers, provided to DataBreaches.net by Blowout Cards. It is not yet clear how many customers were sent this notification, but the breach critical period appears to be between January 2017 and April 20, 2017. It only affects debit and credit card payments; not PayPal transactions:
4/24/2017
RE: Notice of Data Breach
Dear Customer,
This notice is to inform you that your personal information collected through Blowoutcards.com may have been compromised. Blowout Cards understands the importance of the security of personal information and we deeply regret that this incident has occurred.
What Happened?
On April 20th, 2017, we were made aware of a security breach where an unauthorized intruder(s) gained access to some of our customers’ sensitive card payment data.
What Information Was Involved?
Information compromised include the names, addresses, email addresses, phone numbers, credit or debit card numbers, card expiration dates, and card verification codes for customers who checked out via our website shopping cart in January 2017 through April 20th, 2017. This security breach was limited to credit and debit card customers. Those who completed their online transactions via PayPal were not affected.
What We Are Doing
Once we became aware of this incident, we immediately launched an investigation to find and eliminate the problem. An exploit in the form of a modified payment .php file was uncovered which allowed the intruder(s) to skim credit card/debit card information as customers checked out via our website. The malicious code has been eliminated and we have successfully taken measures to close this vulnerability. We have also engaged a third-party data security firm who is in the process of examining our network. They will assist our website development and server host companies in implementing additional measures to strengthen the security of our system and our processes.
What Can You Do?
If you have used a credit or debit card on our website in January 2017 through April 20th, 2017, we strongly recommend that you review your credit and debit card statements, and immediately report any suspicious or unauthorized activity to your card provider. Even if you do not see any suspicious activity, we recommend taking proactive action by contacting your credit card’s 24-hour toll-free emergency number printed on the back of your card and asking them to re-issue you a new card. It is not uncommon for thieves to hold stolen information to use at different times. We urge you to exercise caution by vigilantly monitoring your accounts for any suspicious transactions and/or activity.
Additionally, we recommend placing a fraud alert on your credit file in order to protect yourself against the possibility of identity theft. Call one of the three national credit reporting companies, tell them you’re a victim of identity theft, and ask for a fraud alert to be placed on your credit report. It’s free, and the company you contact will alert the other two. A fraud alert tells creditors to contact you before they open any new accounts or make changes to your existing accounts. The initial fraud alert stays on your credit report for 90 days. You can renew it after 90 days:
Equifax: equifax.com or 1-800-525-6285
Experian: experian.com or 1-888-397-3742
TransUnion: transunion.com or 1-800-680-7289
Even if you don’t find any suspicious activity on your initial credit reports, the Federal Trade Commission recommends that you continue to check your credit report periodically. Under federal law, you are entitled to a free credit report once a year. Checking your credit reports periodically can help you spot problems and address them quickly.
If you find suspicious activity on your credit reports or have reason to believe that your information is being misused, you may want to file a police report. Obtain a copy of the police report; you may need it to clear up the fraudulent debts. If your personal information has been misused, file a complaint with the FTC at www.ftc.gov/idtheft or call 1-877-ID-Theft (1-877-438-4338). Your complaint will be added to the FTC’s Consumer Sentinel Network where it will be accessible to law enforcement for their investigations.
Our Commitment to You
We deeply regret that this has incident has occurred and we sincerely apologize. We realize that you have many vendor options available to you and we consider it a privilege that you choose to shop with us. We do not take this privilege lightly. We know that we will need to regain your trust and we are committed to doing so. The protection of the sensitive information of our customers has always been a priority to us and we know that you must feel safe when you are shopping on our site. This unfortunate incident has only intensified our desire to protect your information. In the coming weeks, we look forward to communicating with you again full details on what we are doing to ensure the safety of your information and what steps we are taking to prevent this from happening again in the future.
In the meantime, should you have any questions, comments, or concerns, feel free to contact us at any time by emailing [email protected]. Please reference “RE: Notice of Data Breach” in the subject line when emailing us so we can expeditiously send you a response.
Sincerely,
Blowout Cards