ASAP Data Breach

[gavin400]

I bought stuff from ASAP during those periods and have not recieved an e-mail, checked junk mail

Purchases were via Paypal so maybe that makes a difference?

 

[Heckler]

I bought stuff from ASAP during those periods and have not recieved an e-mail, checked junk mail

Purchases were via Paypal so maybe that makes a difference?

I used Paypal but still got the email.

 

[Angele]

I bought stuff from ASAP during those periods and have not recieved an e-mail, checked junk mail

Purchases were via Paypal so maybe that makes a difference?

I used Paypal but still got the email.

When I spoke to them on Monday, they specifically said that they sent the email only to those people who had signed up to receive their newsletter. Although I had bought stuff from them (most recently in March), they had not emailed me about the problem because I wasn't on their newsletter distribution list.

I'm therefore guessing that skipper_stu gets their newsletters, but gavin400 (like me) does not.

 

[Quandary]

I do not get their promotions news but still got the email regarding the data breach though I have not purchased from ASAP for well over a year. I decided that they were just too lazy or cautious to be properly specific in the way Force 4 have been, so decided to do nothing.

 

[Keith-i]

When I spoke to them on Monday, they specifically said that they sent the email only to those people who had signed up to receive their newsletter. .

That seems an odd way of deciding who to communicate their issue with. Surely that can't be down to GDPR restrictions as anyone who has bought from them and is therefore at risk would have had a contract with ASAP and therefore could be legitimately contacted via their held contact details.

 

[Angele]

I do not get their promotions news but still got the email regarding the data breach though I have not purchased from ASAP for well over a year. I decided that they were just too lazy or cautious to be properly specific in the way Force 4 have been, so decided to do nothing.

Then that is a bit odd and conflicts with what I was told.

That seems an odd way of deciding who to communicate their issue with. Surely that can't be down to GDPR restrictions as anyone who has bought from them and is therefore at risk would have had a contract with ASAP and therefore could be legitimately contacted via their held contact details.

Agreed. If it weren't for this thread I would be none the wiser.

 

[petem]

I received the email too. Paying by PayPal means one less transmission of your card details. Also wise to refuse the option of a merchant storing your card details for future purchases.

 

[MikeBz]

Just received an update from ASAP which has a date/time range (21 August 2018 2pm to 10am on 25 September 2018) - good on them:

Dear Customer,

We are now able to confirm malicious software was present on our site between 21 August 2018 2pm to 10am on 25 September 2018.

If you used www.asap-supplies.com during this time, the data detailed below has been compromised, dependent on how you interacted with the website:

All customers inputting any of the following data during the above dates:

First and last name
Billing address
Shipping address
Phone number
Email address


PayPal and A.S.A.P Supplies Ltd account holders:

As above (no payment details compromised)


Customers who entered payment details and completed their purchase and customers who entered their payment details but did not complete their purchase:

As above, plus:
Card number
Expiry date
CVV - security code


What to do now?
If you have not done so already, please call the number on the back of your card and let the issuing financial institution know to cancel your card/s used on our site during these dates. Please also review your credit card and bank statements, looking for unfamiliar or suspicious activity. If you see a transaction that isn’t yours, contact your financial institution as a matter of urgency.

We sincerely apologise for this experience and want to reiterate that we are fully committed to protecting your data. We continue to work with the Police, Action Fraud and Information Commissioner’s Office (ICO) to investigate this incident in depth.

If you think you have been a victim of fraud please report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040.

If you have further questions or concerns, you can contact our customer services team on dsincident@asap-supplies.com who will do what they can to help you.

David Cottam
Commercial Director
A.S.A.P. Supplies Limited



ASAP Supplies | Reed House | Ellough Industrial Estate | Beccles, Suffolk NR34 7TD | United Kingdom
Unsubscribe from future marketing messages from ASAP Supplies

 

[Croftie]

Yes just received email this as well.
As I ordered stuff 4th September I fall into that date range and have just cancelled my card.
What a pain, I guess they are going to loose a LOT of customers

 

[MikeBz]

At least they have identified and communicated the dates. In the past I have had my card cloned by a hack at a well known online retailer of cycle parts - they knew they had been breached but didn't warn customers it had happened, they have definitely lost a customer. I'll still shop with ASAP - it could happen to anyone and they have communicated that it happened and identified the date range which is as much as you can hope for.

In this case it looks as though card details have been scraped as they were entered, much like the BA case, so not storing your card details with the supplier wouldn't have helped.

 

[Robert Wilson]

Yes just received email this as well.
As I ordered stuff 4th September I fall into that date range and have just cancelled my card.
What a pain, I guess they are going to loose a LOT of customers

+1
I checked all my debit and credit cards and oddly found £1 taken from an MBNA card just out of that date range.
All other cards' statements show no spurious transactions.

I say oddly because I only ever use that card for Amazon purchases and AFAIK Amazon haven't supplied me with anything from ASAP.
MBNA's card on-line information does not give details of what was purchased, or who the trader might have been.
Checking my Amazon "orders page" there is no sign of a £1 transaction.

Coincidence, error on Amazon's part, or what.
MBNA couldn't shed light on the matter. Card cancelled. Bother!

Mystified

 

[MikeBz]

Amazon do seem to do strange things. I recently had a £1 'pending' Amazon transaction on my card for over a week after I had placed an order with them - the order was paid and fulfilled long before that pending charge disappeared.

 

[Robert Wilson]

Amazon do seem to do strange things. I recently had a £1 'pending' Amazon transaction on my card for over a week after I had placed an order with them - the order was paid and fulfilled long before that pending charge disappeared.

That's very interesting, and reassuring. I shall monitor the situation.
Quite why they should do that is beyond me.
Perhaps someone on here might know?

Thanks

 

[jdc]

Yes just received email this as well.
As I ordered stuff 4th September I fall into that date range and have just cancelled my card.
What a pain, I guess they are going to loose a LOT of customers

Of course they may lose customers but not me. I think that they handled the data breech very well: communicated to me without delay, and then told me what they had discovered in a very clear manner.

All use of a card is somehow vulnerable to fraud: most recently for me it was in a restaurant and the first I knew of it Barclaycard contacted me to ask if I was buying lots of HiFi in Liverpool (which I wasn't!). My companion had her card refused in a hotel, and then a few days later it was being 'used' in China. Sh*^ happens.

So although of course I'd be swearing and cussing if I'd had to cancel my card, nonetheless I think ASAP reacted well and looking to the future I suspect that they will be as good or better than any of their competitors. Hence why stop using them?

 

[Robert Wilson]

My spurious £1 debit on my MBNA credit card has now disappeared. Odd!

 

[Plum]

I have not had a problem with the ASAP website, until today. I now can't access their website and get a message saying "your connection is not private....."

Is this just me?

Www.solocoastalsailing.co.uk

 

[PaulRainbow]

I have not had a problem with the ASAP website, until today. I now can't access their website and get a message saying "your connection is not private....."

Is this just me?

Www.solocoastalsailing.co.uk

Just checked, same here.

 

[MikeBz]

I now get a message saying "We’re currently working on some improvements to our site and will be back online soon. ".

 

[Bathdave]

That's very interesting, and reassuring. I shall monitor the situation.
Quite why they should do that is beyond me.
Perhaps someone on here might know?

Thanks

This is the recommended way to test the validity of a proposed transaction, and security experts are recommending you do this when making on line payments to accounts you have not paid before.

I suspect Amazon security systems flagged up your transaction as potentially suspicious and put a notional £1 through to see if it triggered a bank rejection as a cancelled or compromised card.

 

[maej]

I now get a message saying "We’re currently working on some improvements to our site and will be back online soon. ".

I get this too.

The 2nd email I got from them mentions they found malware on several pages. I suspect they made the wise (though frustrating) decision to take the site down to ensure no one else can have their data compromised while they work to remove the malware and patch the security hole that let it get installed in the first place. I expect it could potentially be down for a while, especially if they have to do something drastic like wipe and rebuild the site.

Regarding the emails, I don't know why only some people got them and not others, but I think it's very good that they didn't wait for the details before sending the first one to warn customers, then followed up later with the details when they were known. I'll be happy to buy from them again when they are back, though only using paypal.