Boomerang Rentals Issues Statement Following Alleged Security Breach
Original Article (See bottom of article for updates to this story):
UK-based Boomerang Rentals, a videogame rental service, issued a statement Monday, January 12th, following earlier allegations that customer information had been compromised.
Initial reports alluding to a possible breach surfaced on the Xbox One channel of Reddit on Friday, January 9th, inquiring speculatively as to whether customer card details could have been leaked and or stolen. Reddit user Dannytuppeny highlighted the issue, claiming that he had noticed a series of fraudulent transactions on his debit card.
Several other customers came forward stating they too were seeing fraudulent activity taking place on their debit and credit cards.
Boomerang Rentals were quick to respond to the growing allegations, posting in the same Reddit thread. The company stated that “it is very unlikely someone could retrieve your card details”. Boomerang Rentals did not outright refuse any liability, but the company did also suggest that the leak may due to a ongoing “O2/Vodaphone fraud problem”.
Following growing user concern over the weekend, Boomerang Rentals took their website offline early Monday morning, citing “maintenance work” as the reason for the closure.
A statement from the company was also made available shortly after, reading as follows:
Following an initial enquiry at the end of last week, we have had a number of
customers raise concerns regarding fraudulent payment attempts on their card
details that are also registered with us.
We are fully investigating this issue and have temporarily removed access to
our website while this continues.
We have contacted our Payment Provider Sagepay and our Merchant Bank
World Pay and neither have any reported concerns relating to us.
However, please be assured we are treating this with the utmost urgency and
can provide more information on our findings as they become available.
If you have any concerns, please contact your card issuer.
We apologise for any inconvenience the removal of our site has caused and
thank you for your patience as we continue to investigate further.
Boomerang Rentals rose to prominence in 2013, when then-leading competitor LoveFilm announced they would no longer be offering game rentals.
Are you a Boomerang Rentals customer? Let us know in the comments if you’ve experienced any issues with your account.
As of midday on Tuesday, January 13th the Boomerang Rentals site is still offline. An updated statement from the company detailed that investigations are continuing and that the security of the customer experience with Boomerang is “extremely important”.
Boomerang added that their service “will be limited for a time” whilst the company “conduct continued investigations and work towards resuming a normal service as soon as possible”.
Despite the website being offline many customers are receiving ‘frustrating’ service emails from the company, such as those prompting customers to fill an empty rental queue — something they can’t do whilst the site is down.
Boomerang Rentals issued the following press release on the afternoon of Tuesday, January 13th:
Situation Update: Boomerang Rentals – 13th January 2015
On Friday we were contacted by a customer who was concerned that a fraudulent charge had been attempted on his credit card, and he was worried that our system had been compromised. He quoted another person who had made a comment on Twitter of a similar issue.
What we did
We began an investigation as soon as additional concerns were raised. Credit card data is stored in a strongly encrypted format and not viewable to any internal staff, however, at that stage, we felt we should take the concerns seriously.
Over the weekend, we noticed other people online reporting similar issues and we became increasingly concerned. So, based on the information available at the time and conscious of the concern, we made the decision on Sunday afternoon to take the site off line while we continued our investigations.
Where we are
By Monday morning, we had been contacted directly by a small number of additional customers. We contacted the fraud department of our merchant bank, but they knew of no issue. We also contacted our payment gateway provider and they also had no concerns. They are assisting us in a consultative capacity.
By this time we could see lots of people talking about this online, but only a few people had contacted us directly.
To date we have not found any evidence of a breach of our systems. We are continuing to investigate and continue to take this issue very seriously.
We have also made the decision to very quickly move over to a token method of payment which obviates the need to have encrypted data on our servers, to give our customers further reassurance.
We would not ever wish to be the source of customer card information being compromised, so are making this change urgently. This work will take about a week, and we have removed the card details in their encrypted form, from our on- line system, and are removing the facility to update or provide card details until the work is complete.
Subscriptions will be processed daily each weekday morning under further supervised controls. Once the new system is in place, we will be able to collect payments through the token system.
We will also investigate the possibility of introducing PayPal as a form of payment as well, to offer our customers further choice.
First we will start to process incoming and outgoing rentals. Then, once we are satisfied that our investigations are complete, we will bring our website back on line so existing customers can see their rental lists. We apologise for the inconvenience caused to our customers while this work is undertaken. Once everything is running again, we will be back in touch and will include updates at that time.
Finally, we would like to re-emphasise that we have not found any evidence of a breach in our systems (our systems were regularly tested for vulnerabilities by a 3rd party specialising in this) but our Engineers and Technical Advisors continue to investigate.
We are aware of the interest and concern this situation has raised and care about our customers and our reputation greatly and are urging our customers to get in touch with us immediately if they have any concerns.
We will shortly be sending an email directly to each of our customers.