Data Breach for Sport Pursuit

AltAccount

Anybody else get an email likr this today?

Dear AltAccount,

We are sorry to inform you that we have uncovered evidence that SportPursuit has been the victim of an attempted data hack, which may have affected a limited number of SportPursuit members. The fact that you are receiving this email means that you may be affected.
Our advice is that you remain vigilant over the coming days. Should you see any evidence of unusual activity on your bank account or credit card, you should contact your bank immediately to report this.

The SportPursuit team acted immediately to fix the problem, and the issue has been resolved. You can continue to use our site with confidence that your transactions are secure.

The security of our customers' data is a top priority for us. We take very extensive steps to protect ourselves from hacks and to keep your personal details safe. As far as we are aware this is the first time that our data may have been accessed, and we wanted to immediately inform you so you can remain vigilant and react quickly should there be a problem.

We have a dedicated team of customer service specialists that you can reach on customersupport@sportpursuit.com. FAQs are available on our website (www.sportpursuit.com/data-faqs), we will keep this updated.

We're sorry to bring you this news on a bank holiday weekend, but when it comes to data, our priority is always to give our customers the facts and keep you informed as soon as possible.


Regards,

Blake
Head of Customer Service

Eek!

jamesd

No didn't get it, just got an offer from them there for 10% off

Slogger Jogger

Yeah, got that email. This contradicts info elsewhere on their website that assures the customer that their credit card details are not stored on their site, apart form the last 4 digits. Worrying.

splanagan22

Got same email. Used used site once.

doozerie

I didn't receive such an e-mail from them either, and I've shopped with them before so I'm not just an e-mail subscriber.

I'm not sure whether I should be reassured by that lack of e-mail, or should be even more concerned that "only" a subset of their data may have been hacked (makes me wonder how they store their customer data).

Kaisr Sose

doozerie wrote: »

I didn't receive such an e-mail from them either, and I've shopped with them before so I'm not just an e-mail subscriber.

I'm not sure whether I should be reassured by that lack of e-mail, or should be even more concerned that "only" a subset of their data may have been hacked (makes me wonder how they store their customer data).

Reading between the lines , they don't know if any data was taken/compromised. The email is to cover themselves in the event it was.

mossym

Got it too. Will be watching the cc account closely.

doozerie

Kaisr Sose wrote: »

Reading between the lines , they don't know if any data was taken/compromised. The email is to cover themselves in the event it was.

It certainly makes sense for them to assume the worst, but I wonder why they seem to believe the breach affected only some of their customers and also how they can determine exactly which customers.

How any company stores their customer information is a mystery for the customers, typically, an incident like this raises even more questions in my mind about that.

Kaisr Sose

Maybe because they know what files were accessed but not if data was taken. Otherwise the email should have went to all. Just my thinking anyway.

doozerie

Kaisr Sose wrote: »

Maybe because they know what files were accessed but not if data was taken. Otherwise the email should have went to all. Just my thinking anyway.

It'll very much depend on how they store their customer information. The conventional approach is to store it all in a database, so anyone that hacks into the database is likely to have access to all of it.

There are many models of storing info though, so it's certainly feasible that only part of the data was accessed/stolen, would be interesting to know more details but of course Sport Pursuit won't release them (assuming they even know them themselves).

Kaisr Sose

I think they also compartmentalise to maximise the security and minimise the amount of data hacked. Eitherway, they won't be explaining as they will state they don't discuss security measures. And of course the whole thing is probably already being filtered through a PR company.

Magilla Gorilla

I got the message too. No activity on my bank account so far. I was cleaned out a few years ago so will be watching this carefully.

Beasty

In terms of bank accounts, they should have no more info than is available whenever you issue a cheque. Credit cards issuers give you protection.

In terms of what data was compromised, they can usually interrogate systems to work out exactly what information may have been accessed. The fact they have owned up and notified potentially affected customers is a good sign, and those that do "own up" will usually err on the side of caution. It's the businesses that don't tell you about date breaches that would bother me more!

Often nothing comes of these data breaches because of protection usually built into systems (despite all the headlines they attract - they get those headlines precisely because the "good" businesses fully disclose whatever they can without further compromising anyone).

pedro_colnago

I have used the website a few times, no email but maybe that's because I used paypal rather than direct to sport pursuit Id say?

PaulieC

pedro_colnago wrote: »

I have used the website a few times, no email but maybe that's because I used paypal rather than direct to sport pursuit Id say?

I'm the same - several purchases via PayPal, no email either

yappaty

Slogger Jogger wrote: »

Yeah, got that email. This contradicts info elsewhere on their website that assures the customer that their credit card details are not stored on their site, apart form the last 4 digits. Worrying.

I emailed them asking about that, this was their response:

"Hi

SportPursuit does not store our members credit or debit card details. However during changes to our website, an error in the code meant that some credit and debit card details were inadvertently stored. They were automatically encrypted by our systems using a strong encryption algorithm. When we became aware that bank details were being stored, we immediately took steps to stop this from taking place and deleted the card details that had been stored. No CVV numbers have been stored on our systems at any point.

Kind regards,"

roverrules

If in doubt then max out your credit card on bike and bike related purchases, it's the only way to be sure

terrydel

Beasty wrote: »

In terms of bank accounts, they should have no more info than is available whenever you issue a cheque. Credit cards issuers give you protection.

In terms of what data was compromised, they can usually interrogate systems to work out exactly what information may have been accessed. The fact they have owned up and notified potentially affected customers is a good sign, and those that do "own up" will usually err on the side of caution. It's the businesses that don't tell you about date breaches that would bother me more!

Often nothing comes of these data breaches because of protection usually built into systems (despite all the headlines they attract - they get those headlines precisely because the "good" businesses fully disclose whatever they can without further compromising anyone).

Yep,any card info should barely touch their server, let alone be recorded on it. The payment processing provider should handle that side of things.