This article is more than 1 year old
SportPursuit coughs to being hacked. When? What got nicked? They ain't saying
Firm doesn't hold card details – except when it does
Update Clothes website SportPursuit was hit by hackers over the Easter weekend, potentially losing customers' bank card details.
SportPursuit admitted on Sunday that it had "uncovered evidence" of "an attempted data hack" which "may have affected" what it claims were "a limited number" of its customers.
The company's statements to the public have been very light on details. It has stated it has "informed" customers who may be affected. The firm's email, however, – which has been shared with The Register – only suggests to customers that their card details "may" have been stolen.
What other data was accessed and when the attack took place have not been confirmed. The company shrugged in its email: "It is possible that the customer data accessed includes debit or credit card details."
As one reader complained to us: "Seemingly this information was left unencrypted. I’d be rather surprised if this didn’t violate the PCI-DSS standards imposed by the payment processors."
Fair to say @SportPursuit's handling of their apparent data breach is utter pants – seems they don't have a clue what "may have" happened— Gareth Ryan (@wizbongre) March 27, 2016
After El Reg published this story, SportPursuit contacted us to confirm it had notified the ICO about the hack. In response to our other enquiries, we were told: "As soon as our site monitoring alerted us to the incident our technical team acted quickly to resolve the issue."
Another Reg reader has told us how SportPursuit states in its T&Cs that it does not hold debit/credit card details. Our reader asked how, then, SportPursuit had managed to lose such details if it didn't store them. In an email response, the company explained:
SportPursuit does not store our members credit or debit card details. However during changes to our website, an error in the code meant that some credit and debit card details were inadvertently stored.
They were automatically encrypted by our systems using a strong encryption algorithm.
When we became aware that bank details were being stored, we immediately took steps to stop this from taking place and deleted the card details that had been stored. No CVV numbers have been stored on our systems at any point.