daviddb
New member
An unhappy coincidence that both Force 4 AND Asap customers should suffer at the same time. Are the two companies connected in any way? Or do they both use the same third party data handling company???
D.
D.
ASAP Data Breach
- Thread starter Norman_E
- Start date
Cantata
Well-known member
I had the ASAP email too. Called the credit card issuer and they talked through recent transactions, nothing amiss but they strongly advised blocking the card, so I did. Bloomin nuisance.
Bobc
Well-known member
You do realise that this has been going on for years. It's only now that there are threats of serious fines because of GDPR that they are telling you.
daviddb
New member
Fines schmines.... I 'd like some PPI style compo. The whole thing took around 2hrs30m to sort, And I'm still stuck without a card. Say £150?? *the sound of breath not being held *......
Martin_J
Well-known member
Many companies trust their websites (and therefore card handling) to 3rd parties and are therefore distanced from (and unaware of) the software used on their eCommerce websites..
Looks like Force 4 say they went to a Magento website in 2014.. "Force4, the UK’s foremost chandlery, has launched a new full function website and e-commerce store designed and developed by Screen Pages, one of the UK’s leading Magento e-commerce agencies. "
https://www.screenpages.com/ecommer...-to-drive-sales-of-sailing-equipment-clothing
ASAP are quoted as using Magento.. . "The motto of ASAP Supplies is 'we do whatever we can to float your boat', indeed offering a complete range of products that are used in and for boats. The Magento website enables customers to request a quote before buying products."
https://www.cart2quote.nl/magento-quotation-module-testimonials.html
There could be 225,000 other websites using similar code with many 'extensions' on their website that are open to vulnerabilities..
https://blog.acumium.com/3-problems-magento/
Hard to know what to say about putting card details into websites...
And maybe both these companies now use other providers, but it just goes to show that just because other companies trust someone to provide a website, you can't rely on that as being a good enough reason to go with them as well..
Martin_J
Well-known member
Wow.. Reading that first link seems to say that Force4 went to the 'Enterprise' version.. Hugely expensive..
Just goes to show that with relatively good due diligence and spending rather large sums of money for the full Enterprise version with security patching is not enough..
Just goes to show that with relatively good due diligence and spending rather large sums of money for the full Enterprise version with security patching is not enough..
Bobc
Well-known member
Magento is the world's most popular platform for e-commerce sites. There are millions of them out there.
Angele
Active member
I last bought from ASAP back in March. Having seen this thread, I went into my email account (including spam folder) to check and nothing. So, I rang them up and asked the question. Apparently, they only emailed people on their mailing list (and I am not). Does not mean I have not been affected, as that chap on the 'phone was able to confirm I was on their system and was able to tell me which of my cards I had used to make the transaction (sensibly, without disclosing the full card number).
Bummer. But thanks to Norman_E for posting.
Bummer. But thanks to Norman_E for posting.
freddy1000
New member
Sage?
Rock Dodger
Member
The same here. E mail from ASAP arrived giving me the warning but as I have not done any business with ASAP for some months I checked with the card issuer. There have been no dodgy transactions but I didn't want to wait until it went bad so I ordered a new card to be on the safe side. To wait 3 to 5 days for a new card is a bit of a PITA, but having had a credit card cloned in the past, and gone through all that entailed, better safe than sorry.
eebygum
Active member
My email from Force4 also ended up in Spam, I subsequently emailed them to confirm it was genuine. This looks very similar to the attack which took place on the British Airways website.
Whilst online credit card fraud has been going on for years, this looks to be a new style of attack.
It looks like a law firm is taking on a class action against BA, with compensation for all potentially impacted customers.
Disgusted that Force4 have not put any update into their webpage or twitter feed. They need to take more responsibility to alert their customers.
I’ve posted something so please follow up with #force4databreach.
Whilst online credit card fraud has been going on for years, this looks to be a new style of attack.
It looks like a law firm is taking on a class action against BA, with compensation for all potentially impacted customers.
Disgusted that Force4 have not put any update into their webpage or twitter feed. They need to take more responsibility to alert their customers.
I’ve posted something so please follow up with #force4databreach.
eebygum
Active member
Under Article 82 of the EU General Data Protection Regulation (EU-GDPR) you have a right to compensation for non-material damage. This means compensation for inconvenience, distress and annoyance associated with the data leak.
#force4databreach
#force4databreach
daviddb
New member
Well, to quote a song lyric, two outta three ain't bad. It would be caning it a bit for me to claim distress....
eebygum
Active member
Yes, Credit card fraud has been going on since even before I started working in IT and Bank Payment systems in the 80’s.
However, this fraud looks very similar to the incident reported at British Airways (very specific start and end dates) where the financial details stolen included the expiry date and CVV code. Stealing the CVV data is crucial and hints at the type of attack because of the way IT systems are NOT meant to store this information.
I would advise everybody to check their accounts and order new cards if payment was via credit card.
A class action is being taken up against BA:
https://www.badatabreach.com/
I’ve had to cancel my card and will be persuing compensation.
#force4databreach
However, this fraud looks very similar to the incident reported at British Airways (very specific start and end dates) where the financial details stolen included the expiry date and CVV code. Stealing the CVV data is crucial and hints at the type of attack because of the way IT systems are NOT meant to store this information.
I would advise everybody to check their accounts and order new cards if payment was via credit card.
A class action is being taken up against BA:
https://www.badatabreach.com/
I’ve had to cancel my card and will be persuing compensation.
#force4databreach
Robert Wilson
Well-known member
I called ASAP yesterday to ask if any of my transactions fell within the stated period. I got a recorded message (as usual) asking me to state my purpose of contacting them and leave my name and number.
The message informed me that when staff became available they would return my call.
Nothing yet...…….
The message informed me that when staff became available they would return my call.
Nothing yet...…….
UK-WOOZY
Well-known member
i bought many things recently from ASAP and Force4, i got the email from ASAP. but i dont have a credit card, i use a visa electron. would that possibly still be affected? i use Malwarebytes background malware blocker that usually blocks trojans etc from sites.
edit: just looked, got the email from force4 too about the issue
edit: just looked, got the email from force4 too about the issue
Last edited:
GHA
Well-known member
Revolut might be worth looking at for future on line purchases, make a virtual card and use that then delete it if worried. No links, blah blah, just happy with what cost a fiver.
MikeBz
Well-known member
From earlier in the thread there is a stated period for Force 4 (any orders made between 09:55 BST August 6th 2018 to 16:55 BST September 27th 2018) but I can't see one for ASAP?
Angele
Active member
....Presumably they would have said if they knew when the problem started. So I infer they don't know. But they must know when the problem ended (some time before the email was sent on Saturday).
MikeBz
Well-known member
It doesn't matter whether it's a credit card or debit card - if someone has all the info on the card including the CVV number on the back then happy days for them.
Note that in some circumstances you get better protection (not necessarily against fraud) using a credit card than a debit card: https://www.money.co.uk/current-accounts/is-debit-card-protection-the-same-as-for-credit-cards.htm