Back in February, I noted that the FBI had been called in to investigate a breach involving the Iron Horse Bicycle Classic. A number of those who signed up for the event had reported credit card fraud.
Now lawyers for Iron Horse Bicycle Classic have reported the breach to the New Hampshire Attorney General’s Office. Their report provides some additional details on what the investigators found.
According to the statement, on March 1, IHBC learned that the server they shared with other companies on an unnamed web host provider had been attacked, and the attacker had been able to send information from the server to an unauthorized address on the Internet. Significantly, the attack may have occurred as early as November 30, 2012.
Although IHBC notified registrants by e-mail on March 14, they first mailed out letters in the last week of April. The letters informed them that the attacker may have obtained their names, postal and e-mail addresses, credit card information, and ages.
IHRB made some changes in how it handles payments, but surprisingly in light of know fraudulent use of information, did not offer registrants any free credit monitoring services.
Of course, now I’m also wondering what other companies on the shared server may also have been hacked or had PII compromised. I’m also wondering what the unnamed web host provider is doing to prevent or catch future attacks.