Jump to content
Sign in to follow this  
jammie82uk

Official Club Notice | Your Data May Have Been Compromised

Recommended Posts

Just received this email from the club, posting it here Incase people don’t receive or check them 

 

 

Dear customer,

We have immediately launched an urgent investigation into the theft of customer data from our retail website, shop.lcfc.com. Between 12:43pm on Tuesday 23 April 2019 and 10:49am on Saturday 4 May 2019 the security of our platform was compromised, exposing personal and financial details of customers who purchased merchandise during this period.

The breach has now been resolved and the security of our platforms has been fully restored. The police and other relevant authorities have been notified.

We are contacting all affected customers whose data may have been compromised. If you think you may have been affected by this incident, please contact your bank or credit card provider and follow their recommended advice.

The Club extends its sincerest apologies to all customers affected. We take the protection of our supporters’ data extremely seriously. Please be reassured that we will be investigating this breach thoroughly and taking all legal recourse against those responsible for this malicious attack on the Club's retail website.

We will provide further updates as appropriate upon the completion of our investigation.

Leicester City Football Club

 
 

Share this post


Link to post
Share on other sites

I just got one of these emails. 

 

I bought some stuff online from the club shop during the affected period. 

 

I can't see any other transactions of concern on my account, so I don't think I actually have to *do* anything. 

Share this post


Link to post
Share on other sites

They really should be telling you what information specifically may have been compromised. Why are card details even stored in their platform in the first place? That's a bit archaic.

Edited by Beechey
  • Like 1

Share this post


Link to post
Share on other sites
7 minutes ago, Beechey said:

They really should be telling you what information specifically may have been compromised. Why are card details even stored in their platform in the first place? That's a bit archaic.

Yeah if they could publish all the names, addresses and bank details of everyone affected that would be great  :devil:

 

Share this post


Link to post
Share on other sites
Just now, LinekersApples said:

I was robbed of 9.5m in the early noughties

 

£5m on Ade Akinbiyi, £3m on Matthew Jones and £1.5m on Trevor Benjamin

 

Mr.P Taylor (Dagenham)

Shouldn’t that be ‘mr m George ‘ ???

Share this post


Link to post
Share on other sites
1 hour ago, Vacamion said:

I just got one of these emails. 

 

I bought some stuff online from the club shop during the affected period. 

 

I can't see any other transactions of concern on my account, so I don't think I actually have to *do* anything. 

 

 

Sorry, mate, I haven't got around to you yet...

  • Haha 1

Share this post


Link to post
Share on other sites
7 minutes ago, Fightforever said:

Is everyone efffected?

 

No.

 

2 hours ago, jammie82uk said:

We have immediately launched an urgent investigation into the theft of customer data from our retail websiteshop.lcfc.com. Between 12:43pm on Tuesday 23 April 2019 and 10:49am on Saturday 4 May 2019 the security of our platform was compromised, exposing personal and financial details of customers who purchased merchandise during this period.

Unless you bought in this period, you're clear. 

  • Thanks 1

Share this post


Link to post
Share on other sites
1 hour ago, Vacamion said:

I just got one of these emails. 

 

I bought some stuff online from the club shop during the affected period. 

 

I can't see any other transactions of concern on my account, so I don't think I actually have to *do* anything. 

The thing is, when these attacks happen they take all the details of everyone. Just because they haven't used yours yet doesn't mean they dont have them.

Share this post


Link to post
Share on other sites
39 minutes ago, Beechey said:

They really should be telling you what information specifically may have been compromised. Why are card details even stored in their platform in the first place? That's a bit archaic.

If you've paid online, which is what it highlights was impacted, they need to keep a record of whose paid with what card to get the money from your account, which takes a few days, so details need to be kept to go check this. 

Share this post


Link to post
Share on other sites
33 minutes ago, Gamble92 said:

Absolute shambles 

Not really, do you ignore all the times banks and bigger companies get hacked and card info stolen? 

 

Most of the time, if people want to get into a system and have decent know how, they'll get in.

Share this post


Link to post
Share on other sites

I think the length of the breach tells you is all that you need to know about how seriously the club appear to take online security. The setup behind the scenes at the club really isn't representative of one of the nations leading football clubs. It's rather concerning given how much data they actually retain. 

Share this post


Link to post
Share on other sites
43 minutes ago, Beechey said:

They really should be telling you what information specifically may have been compromised. Why are card details even stored in their platform in the first place? That's a bit archaic.

Although it happens a lot, it may not be the case that they've stored them. Its possible to hack websites at the point where you submit your details, it also gets sent to the hackers. It's quite common but I'm not suggesting it is the case here, just another option.

 

1 minute ago, ian_marshall said:

I think the length of the breach tells you is all that you need to know about how seriously the club appear to take online security. The setup behind the scenes at the club really isn't representative of one of the nations leading football clubs. It's rather concerning given how much data they actually retain. 

 As above, it may not be a full site intrusion. Using scripts to take details submitted by customers is harder to detect as everything looks normal and there wont be any logs on the systems etc. It happens a hell of a lot, to big companies as well as small.

  • Like 2

Share this post


Link to post
Share on other sites
41 minutes ago, Gamble92 said:

Absolute shambles 

How is it "an absolute shambles"? Please explain.

Share this post


Link to post
Share on other sites
12 minutes ago, Kopic said:

Although it happens a lot, it may not be the case that they've stored them. Its possible to hack websites at the point where you submit your details, it also gets sent to the hackers. It's quite common but I'm not suggesting it is the case here, just another option.

 

 As above, it may not be a full site intrusion. Using scripts to take details submitted by customers is harder to detect as everything looks normal and there wont be any logs on the systems etc. It happens a hell of a lot, to big companies as well as small.

The attack you're mentioning is an injection attack (specifically XSS). If this has occurred I'm even more concerned about whoever is developing this website than before, because they're one of the simplest attacks to avoid, and one of the most common attacks.

 

I really hope it's not the case.

 

If what @UniFox21 is saying is true, and it's just a record of a purchase, then really, card details should not be in danger here - most stores will keep a note of some card information (mostly for say, end user records: "You bought x item for £x using card ending in 1234", and of course, administration back end uses), but not enough to mimic that card (always no security pin, and most of the time no expiration dates). I'm curious to know precisely what has been lost here.

Edited by Beechey

Share this post


Link to post
Share on other sites
2 minutes ago, Beechey said:

The attack you're mentioning is an injection attack (specifically XSS). If this has occurred I'm even more concerned about whoever is developing this website than before, because they're the simplest attacks to avoid, and one of the most common attacks.

 

I really hope it's not the case.

I hope they release an RCA although it's probably doubtful. Will be a great concern if data was comprised by an injection attack. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...