Boomerang rentals possibly compromised

yogibear88 · 21 Jan 2015 at 16:29

I have had £618.31 paid out of my account from Western Union in London. Anyone had any of these sort of transactions appear also?

ps3ud0 · 21 Jan 2015 at 16:32

Kris_90 said:
I've had a quick read through this thread so I apologize if someone has already mentioned this but is there anywhere I can complain about a company not storing personal information securely? - a financial ombudsman type place.

https://ico.org.uk/for-the-public/

ps3ud0 :cool:

Mr Jones · 21 Jan 2015 at 16:34

yogibear88 said:
I have had £618.31 paid out of my account from Western Union in London. Anyone had any of these sort of transactions appear also?

My card was closed before any further damage were done.

Look before that transaction, was there any O2 (or any other Network) PAYG Top Up that isn't yours? Or a £0.00 Apple iTunes type transaction? They tend to do something like that to test it before sweeping in with big buys.

Mine was O2, £20 + £30 then a £6.xx something sub from a magazine, by then, I have my account closed.

On FB / Twitter / Reddit, the general feedback was similar but there are a few with Western Union transaction. Whether it's linked or not, you need to narrow down from the point of transaction to all other possible leaks.

mid_gen · 21 Jan 2015 at 16:43

Your card details will be being flogged online to whoever wants to pay for them, I wouldn't expect any consistency on what they are used for, although Western Union is a popular one for money laundering.

Kris_90 · 21 Jan 2015 at 18:48

Thanks for the replies, I didn't think I could do anything but it was worth a try

yogibear88 said:
I have had £618.31 paid out of my account from Western Union in London. Anyone had any of these sort of transactions appear also?

Most of the transactions on my card were from Western Union.

theonejat · 21 Jan 2015 at 21:08

Just asked out of curiosity if all customers details had been accessed, just wanted to know the answer as I'm pretty sure it's 'Yes'

Got this reply:

Hi, if you are concerned, I'd speak to your bank/card provider and take their advice. Thanks

Cancelled my card and ordered a new one as soon as I read this forum post. Big thanks to the OP and for the info here, wouldn't of known.

RedStarRiot · 22 Jan 2015 at 08:31

and to think some people didn't think Boomerang didn't have a responsibility to advise their customers that their data had potentially been stolen.

ZXSpectrum · 22 Jan 2015 at 09:01

Well still no reply from the 2 emails I have sent to boomerang and if their reply is the same as someone else posted I will not be happy. What utterly terrible customer service!

What is strange is that I have cancelled the card that was associated to the account but i received an email saying that they had processes this months payment without my updated card info? Will get on my banking when I get chance.

Mr Jones · 22 Jan 2015 at 09:06

I still haven't got a reply on email I sent on the 13th.

My direct message via FB only yielded the same crap they're saying:

BG said:
UPDATE:
We continue to receive more messages than usual, and our team is working hard to respond as quickly as we can. We are currently working on emails received on Friday.
Today, we will also start to prioritise those of you who have asked when you will receive a reply to your email.
We are aware that some customers aren’t able to view their rental list and we are looking into that at the moment. We will also advise when the mobile site will available.
New releases will continue to be despatched, with Saint’s Row going out to customers tomorrow.
Our investigations continue and during this phase, monthly subscriptions will be processed away from the live environment. We have spoken to our key partners and they have confirmed that we are taking the right steps at this stage.
We hope to have a new payment platform available over the next week or two. We will provide details on this at the appropriate time.
Our team is working as quickly as possible and we hope to start to respond to individual Facebook messages and tweets today. We will provide all the information we can, however, please be aware that in some instances, this may be limited.
To date we have still not identified any evidence of a breach of our systems. We are continuing to investigate and take this issue very seriously.

JoeBoi · 22 Jan 2015 at 09:12

"More messages than usual", like practically every member complaining about the same thing. Their details being compramised.

Their "investigation" is taking a day and an age.

mid_gen · 22 Jan 2015 at 09:28

You'd have to be insane to give them card details again....they haven't even acknowledged that there was a security breach....if 'breach' is the right word to describe breaking a damp tissue

Mr Jones · 22 Jan 2015 at 09:32

Latest Update

BG said:
Update
Our investigation into the reported card issues began on the morning of Monday 12th January, following us removing our website on the Sunday evening.
We followed strict guidelines on how to conduct this investigation which involved many man hours of investigation of our systems, software and their associated logs. Encrypted card details were removed from the live system on the morning of Monday 12th January.
On Tuesday 20th January, we appointed a third party specialist to help us with the investigation and this continues. We understand the need to provide regular updates and we will continue to do this as best we can.
Thank you for your continued patience.

Seriously, when will they learn?! It was over 48 hours before they responded to the issue, followed by over a week before they even appoint a third party, and that's over 72 hours after the SQL exploit was highlighted the moment their site went back up.

yogibear88 · 22 Jan 2015 at 10:37

Mr Jones said:
My card was closed before any further damage were done.

Look before that transaction, was there any O2 (or any other Network) PAYG Top Up that isn't yours? Or a £0.00 Apple iTunes type transaction? They tend to do something like that to test it before sweeping in with big buys.

Mine was O2, £20 + £30 then a £6.xx something sub from a magazine, by then, I have my account closed.

On FB / Twitter / Reddit, the general feedback was similar but there are a few with Western Union transaction. Whether it's linked or not, you need to narrow down from the point of transaction to all other possible leaks.

When I rang the bank there was a £1.01 charge a couple of minutes before the transaction to a company. Guess that was them testing the details. Will send an email to Boomerang. In the meantime having to get a new card sent to me.

Dannyb01y · 22 Jan 2015 at 16:41

I've not used boomerang for rentals though I did purchase a game off them in 2013.

Today I had a call from Santander fraud department. Someone tried spending £300 on a train ticket to Luxembourg and registering my card with a "Hoover" taxi firm.

It might be coincidental with the Boomerang breach might not be of course.

sith · 22 Jan 2015 at 23:49

Boomerang User here - £40 worth of o2 vouchers taken from my account. Had to cancel my card :/

blairw · 23 Jan 2015 at 01:07

HSBC cancelled my card before any fraud was possible - they called me. Couldn't confirm the source of the issue though

ZXSpectrum · 2 Feb 2015 at 15:06

Well just to update this thread... STILL no reply to any of my emails... So I then went to the website to check the card details and now there is information about them changing their payment system. Honestly this is utterly terrible service and I will not be using them anymore.

Update 30/1/2015

Updating Your Card Details

Please accept our apologies, we are currently changing our payment platform, and this work is nearly ready to go live!

We are completing our testing and you should be able to add your new card details by Friday 6th February.

The Changes

The new platform will look a little different. When you update your card details, you will be directed to Sagepay, our Payment Partner page to enter your card details and then back to our site afterwards.

You won’t have to do more than you would do ordinarily, it will just look a little different and is totally secure.

New Payment Platform

No full card numbers will be stored on our systems, we will just hold a token that we can use for future payments.

Every time, we process a payment for you, we simply present Sagepay with this token and they then match this up to card details stored securely on their systems.

We will hold the last 4 digits only, and expiry date for your card, for website administration, which is standard practice.

These are passed back to us, by Sagepay, when you update your card details, so the full card details do not enter our systems at all.

If you have any questions, please contact us.

Sooo they did not acknowledge the issue, they did not inform customers, they have not replied to customers emails and they are changing their payment system. They deserve to go out of business for this shadiness....

yogibear88 · 2 Feb 2015 at 15:50

No reply to my email complaint. Think I may have to cancel.

ZXSpectrum · 2 Feb 2015 at 16:08

And in more news I have just gone to cancel and been presented with this:

Get £12 worth of Payback Points and Exclusive Access to Bonus Games

We very sorry if you have been affected by the recent website issues and to show our appreciation, we would like to give you these exclusive offers.

If you are a live account holder (even if you are waiting to update your payment details) on 26th January 2015, and feel you have been affected, email us and we will sign you up to this offer, and give your account “legend” status.

We will then give you £4 worth of Payback Points over the next 3 months* (starting in February) and as soon as available, give you 3 months exclusive access to Bonus Games.

What is Bonus Games?

Bonus Games allows you to rent additional games at no extra cost (just redeem your points).

You can rent these games for 2 weeks and allows you to double your games at home for that period**. So, if you are on a 2 game package, you could have up to 4 games at home at a time!

There will be titles available on most formats including PS4, Xbox One, PS3 and Xbox360.

What to do next?

Please email us on [email protected] and head you email “I am Legend” and we will sign you up as quickly as we can. Please use your Boomerang account email address.

We will then release more news on this offer.

Thank you for your understanding and patience.

The Boomerang Team

*Your account needs to be live to receive the points.
**Subject to having sufficient Payback Points

Well that's all well and good but not replying to emails and not taking responsibility for your balls up is a sign of a company with terrible customer service.

Mr Jones · 2 Feb 2015 at 16:59

They've replied my messages on FB with the same status update BS 3 days after I sent it. My 2 emails were ignored, but my direct message via their website got a reply - of which I asked for all my details and information to be purged. They said they will do so and email an update, along with asking why.

I replied frankly and seek an update ASAP. That was 10 working days ago.

I've given up on them now, changed my address on there and maintained my junk email, just annoying my full name is still there - not that it really matters as the leak is already out there now. PITA they are and thoroughly deserve all negative comments on their social pages.

Shame there are probably hard working people, with family and bills to pay, working for what feels like a mismanaged company - especially with their communications and customer services.