Situation Update: Boomerang Rentals – 13th January 2015
What happened
On Friday we were contacted by a customer who was concerned that a fraudulent charge had been attempted on his credit card, and he was worried that our system had been compromised. He quoted another person who had made a comment on Twitter of a similar issue.
What we did
We began an investigation as soon as additional concerns were raised. Credit card data is stored in a strongly encrypted format and not viewable to any internal staff, however, at that stage, we felt we should take the concerns seriously.
Over the weekend, we noticed other people online reporting similar issues and we became increasingly concerned. So, based on the information available at the time and conscious of the concern, we made the decision on Sunday afternoon to take the site off line while we continued our investigations.
Where we are
By Monday morning, we had been contacted directly by a small number of additional customers. We contacted the fraud department of our merchant bank, but they knew of no issue. We also contacted our payment gateway provider and they also had no concerns. They are assisting us in a consultative capacity.
By this time we could see lots of people talking about this online, but only a few people had contacted us directly.
To date we have not found any evidence of a breach of our systems. We are continuing to investigate and continue to take this issue very seriously.
We have also made the decision to very quickly move over to a token method of payment which obviates the need to have encrypted data on our servers, to give our customers further reassurance.
We would not ever wish to be the source of customer card information being compromised, so are making this change urgently. This work will take about a week, and we have removed the card details in their encrypted form, from our on- line system, and are removing the facility to update or provide card details until the work is complete.
Subscriptions will be processed daily each weekday morning under further supervised controls. Once the new system is in place, we will be able to collect payments through the token system.
We will also investigate the possibility of introducing PayPal as a form of payment as well, to offer our customers further choice.
What next
First we will start to process incoming and outgoing rentals. Then, once we are satisfied that our investigations are complete, we will bring our website back on line so existing customers can see their rental lists. We apologise for the inconvenience caused to our customers while this work is undertaken. Once everything is running again, we will be back in touch and will include updates at that time.
Finally, we would like to re-emphasise that we have not found any evidence of a breach in our systems (our systems were regularly tested for vulnerabilities by a 3rd party specialising in this) but our Engineers and Technical Advisors continue to investigate.
We are aware of the interest and concern this situation has raised and care about our customers and our reputation greatly and are urging our customers to get in touch with us immediately if they have any concerns.
We will shortly be sending an email directly to each of our customers.