Statement on Compromised Customer Data

At around 1pm on Easter Monday we started to receive a large number of calls, emails, live chats and text messages from concerned clients about a scam SMS text message purporting to be sent from BaT, offering a free track day in return for confirmation of bank/card details. The site was an incredibly well presented replica of the genuine BaT site and significant care had been taken to ensure it looked authentic. Several hundred emails, live chats, text's and phone calls from clients later I finally have time to start typing this statement to update the BaT community.

Within 30 minutes I had cancelled my bank holiday plans and both emailed and texted the entire BaT database with a notification that this was a scam and that no details should be passed over.

In the hours that followed, myself and my two technical guys worked to identify the source of the data that has been used for this scam. By cross-referencing website logs, new accounts and mobile numbers we believe the data was not from the current live site, but from an older database of users stored on one our servers.

We have previously conducted extensive penetration testing on our new servers and have the PCI-DSS compliance certificates to back this up.

At this stage, from our investigations, it would appear that hackers were able to access older, now unused services, for an hour before our systems detected their intrusion. This is clearly a failing for which I am responsible and deeply sorry.

We are confident this breach been identified and isolated, but unfortunately it would appear the client database was definitely compromised, including full name, address, mobile number and email address. All passwords on our new site are stored in MD5 encrypted format, however I am aware that parts of some users passwords were visible on the scam website, at this stage I suspect from an early version of BaT code preceding our move to full encryption.

If you use the same password, on sites other than the BaT website, it's important you change them now.

If you were prompted to complete your card details on the scammer's form you may been presented with the first and last four digits of the card number - this is the only information they have as BaT do not store full customer card details on our servers, so assuming you did not complete the scammers form, I can confirm without any doubt your credit/debit card details have not been compromised.

You do not need to cancel your credit / debit cards, unless you entered them in the scam website.

As a precaution we notified our merchant provider (Lloyds Cardnet) and our online payment provider (Secure Trading) who offered support and advice on how to deal with the situation.

Please be assured that protection of your data is a primary concern of ours. BaT will never sell (or otherwise give away) your data to third parties and we consider this an abhorrent attack on both BaT and our clients. We will of course be working with the Police to share data we have captured during our investigations.

Sarah and I are deeply sorry this incident has occurred. Whilst there is a long list of much larger companies that have been hacked in similar circumstances, this does not change the fact that you trusted us with your details and did not expect to be inconvenienced in this manner.

We remain committed to offering exceptional customer service and are horrified at the thought of this incident affecting you, or our reputation. In the few hours since we first became aware of the scam we have suffered unfathomable stress and anxiety as we strive to prevent any further damage and distress to our customers.

At some point I'll share the cost and other associated nightmares this has caused, but for now, I wanted to ensure you had this information and understood we were doing our best. As we find out more I'll update you.

If you have any specific concerns please do contact us by email or live chat rather than by phone as we have limited resources and clearly need to manage the fallout from this incident as efficiently as possible so we can get back to our primary business of organising track days as soon as possible.

Kind regards,

Jonny & Sarah

Jonny Leroux
06 April 2015

Other blog posts


Job Opportunity - Senior Event Organiser

Exciting new job opportunity at BaT



Ginetta Cars Ltd Acquire BaT

Ginetta Cars Ltd Acquire BaT



Job Opportunity - Sales and Events Executive

Job Opportunity - BookaTrack seek Sales and Events Executive



Job Opportunity - CDX Event Support

Job Opportunity - Event support required for our Caterham Driving Experiences.



Iberia September 2017

A very successful trip to Estoril, Portimao and Jerez.



Job Opportunity - Sales Administrator

Join our friendly staff team in our Caterham showroom



BookaTrack Caterham launches Seven 420R Donington Edition

BookaTrack Caterham has launched a brand new limited edition Caterham Seven 420R, to mark Donington Park's 40th anniversary and the 60th anniversary of the Caterham Seven.



Job Opportunity - Junior Mechanic

Job opportunity in our busy Donington Park workshop



Spa March 2017

Our recent Spa track day trip was a huge success. Two busy days plus glorious weather made for the ideal track days. Read on for more information.



BookaTrack Caterham Job Opportunity

Job Opportunity - BookaTrack seek an experienced Web Developer and programmer to assist with design and implimentation of new systems.

Car on European Track Day