Statement on Compromised Customer DataAt around 1pm on Easter Monday we started to receive a large number of calls, emails, live chats and text messages from concerned clients about a scam SMS text message purporting to be sent from BaT, offering a free track day in return for confirmation of bank/card details. The site was an incredibly well presented replica of the genuine BaT site and significant care had been taken to ensure it looked authentic. Several hundred emails, live chats, text's and phone calls from clients later I finally have time to start typing this statement to update the BaT community.
Within 30 minutes I had cancelled my bank holiday plans and both emailed and texted the entire BaT database with a notification that this was a scam and that no details should be passed over.
In the hours that followed, myself and my two technical guys worked to identify the source of the data that has been used for this scam. By cross-referencing website logs, new accounts and mobile numbers we believe the data was not from the current live site, but from an older database of users stored on one our servers.
We have previously conducted extensive penetration testing on our new servers and have the PCI-DSS compliance certificates to back this up.
At this stage, from our investigations, it would appear that hackers were able to access older, now unused services, for an hour before our systems detected their intrusion. This is clearly a failing for which I am responsible and deeply sorry.
We are confident this breach been identified and isolated, but unfortunately it would appear the client database was definitely compromised, including full name, address, mobile number and email address. All passwords on our new site are stored in MD5 encrypted format, however I am aware that parts of some users passwords were visible on the scam website, at this stage I suspect from an early version of BaT code preceding our move to full encryption.
If you use the same password, on sites other than the BaT website, it's important you change them now.
If you were prompted to complete your card details on the scammer's form you may been presented with the first and last four digits of the card number - this is the only information they have as BaT do not store full customer card details on our servers, so assuming you did not complete the scammers form, I can confirm without any doubt your credit/debit card details have not been compromised.
You do not need to cancel your credit / debit cards, unless you entered them in the scam website.
As a precaution we notified our merchant provider (Lloyds Cardnet) and our online payment provider (Secure Trading) who offered support and advice on how to deal with the situation.
Please be assured that protection of your data is a primary concern of ours. BaT will never sell (or otherwise give away) your data to third parties and we consider this an abhorrent attack on both BaT and our clients. We will of course be working with the Police to share data we have captured during our investigations.
Sarah and I are deeply sorry this incident has occurred. Whilst there is a long list of much larger companies that have been hacked in similar circumstances, this does not change the fact that you trusted us with your details and did not expect to be inconvenienced in this manner.
We remain committed to offering exceptional customer service and are horrified at the thought of this incident affecting you, or our reputation. In the few hours since we first became aware of the scam we have suffered unfathomable stress and anxiety as we strive to prevent any further damage and distress to our customers.
At some point I'll share the cost and other associated nightmares this has caused, but for now, I wanted to ensure you had this information and understood we were doing our best. As we find out more I'll update you.
If you have any specific concerns please do contact us by email or live chat rather than by phone as we have limited resources and clearly need to manage the fallout from this incident as efficiently as possible so we can get back to our primary business of organising track days as soon as possible.
Jonny & Sarah
06 April 2015
Other blog posts
Eastern European Trip 2016
Read about our recent adventures in Eastern Europe at Brno, Slovakiaring and Hungaroring.View
Job Opportunity - Junior Sales Executive
Job Opportunity - BookaTrack seek Junior Sales Executive to join the team.View
Spa March 2016
We swapped Easter eggs for Spa last weekend. Read Leanne Fahy's account of our recent trip.View
BookaTrack Caterham Launch Event
Join BookaTrack Caterham for an exciting showroom launch on Saturday 5th March.View
Meet the BaT Team - David Bailey
Meet the BaT team - here we introduce instructor David Bailey.View
Spa November 2015
Leanne Fahy looks back over our recent trip to Spa.View
BaT Member Profile - Linzi and Giles Roadnight
The first blog in our BaT member profile feature - here we introduce Linzi and Giles Roadnight.View
Job Opportunity - Customer Service and Sales Executive
Job Opportunity - BookaTrack seek Customer Service and Sales Executive to join the teamView
BookaTrack to open official Caterham dealership at Donington
Exciting news as BookaTrack open official Caterham dealership at their Donington Park headquarters.View
Spanish Trip September 2015
Leanne Fahy's report on our latest European trip to Circuit Ricardo Tormo, Valencia & Barcelona Catalunya.View