Cinema voucher-pusher tells customers: Cancel your credit cards, we've been 'attacked'

Website taken down 'for the foreseeable future'


Updated Worker perks-flinger Sodexo has told a number of customers to cancel their credit cards following "a targeted attack" on its cinema vouchers platform, Filmology.

The scheme, which provides UK employee rewards via discounted cinema tickets, has also taken its site down "for the foreseeable future" in order "to eliminate any further potential risk" to consumers and to protect consumers' data.

In an email to customers, seen by The Register, Sodexo Filmology said it had informed the UK Information Commissioner's Office and a specialist forensic investigation team.

"We would advise all employees who have used the site between 19th March-3rd April to cancel their payment cards and check their payment card statements," it said.

"These incidents have been caused by a targeted attack on the system we use to host our Cinema Benefits platform, despite having put in place a number of preventative measures with CREST-approved security specialists."

It seems the issue has been going on for several months, with one employee complaining on the Money Saving Expert forum in February that he had been the victim of attempted fraud.

British post box

£12k fine slapped on Postman Pat and his 300,000 spam emails

READ MORE

He wrote: "After speaking to Filmology to ask exactly what had happened, I was informed that my bank details were stolen from the payment page and that the incident has been reported to the ICO. The hack on the payment page was carried out over 2 months and involved many accounts."

Benn Morris, founder of 3B Data Security, which forensically investigates credit card breaches, said: "In terms of who is at fault, that is unanswerable without looking at the investigation.

"While the merchant is ultimately responsible, that does not mean they caused the breach as it could be down to outsourcing a service to a third party, or a fault in one of the software products they are using. All will have to be PCI compliant [the payment card industry's data security standard]."

Advice to cancel cards might be due to either Visa, MasterCard or the card issuer having spotted a pattern of fraudulent activity and having alerted the merchant after suspecting they are the common point of purchase for fraudulent activity. "In which case they are taking a precautionary step by informing customers in this way," Morris said.

He added that taking the website down was one way of ensuring no further breaches occurred. "That doesn't often happen, but it might be in this case they are still taking payments through other means. Again, that doesn't necessarily imply a hack."

In a statement Sodexo said the breach only affected customers in the UK and Ireland. It said the company had previously been made aware of similar unlawful access to personal data on Sodexo Filmology platforms, and immediately notified the authorities, including law enforcement agencies, as well as affected customers.

"Since that incident, Sodexo has continued to carefully monitor and audit the site, and was thereby able to identify additional unlawful access to personal data that were used on certain Sodexo Filmology platforms." It added that the recent attack occurred despite having put in place a number of preventative measures with CREST-approved security specialists. It then took the decision to take the website down.

"We apologise for the inconvenience this has caused and are doing all that we can to provide access to these benefits via alternative means. We will share more information on this with our customers in due course." ®

Similar topics

Broader topics


Other stories you might like

  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • India gives local techies 60 days to hit 6-hour deadline for infosec incident reporting
    Customer data collection and retention requirements also increased, including for crypto operators

    India's Computer Emergency Response Team (CERT-In) has given many of the nation's IT shops a big job that needs to be done in a hurry: complying with a new set of rules that require organizations to report 20 different types of infosec incidents within six hours of detection, be they a ransomware attack or mere compromise of a social media account.

    The national infosec agency stated the short deadline is needed as it has identified "certain gaps causing hindrance in incident analysis."

    Organizations can use email, phone, or fax to send incident reports. Just how the analog mediums will improve improve analysis gaps is uncertain.

    Continue reading
  • Coca-Cola probes pro-Kremlin gang's claims of 161GB data theft
    Life tastes not so good right now

    Coca-Cola confirmed it's probing a possible network intrusion after the Stormous cybercrime gang claimed it stole 161GB of data from the beverage giant.

    "We are aware of this matter and are investigating to determine the validity of the claim," Coca-Cola communications global vice president Scott Leith told The Register on Tuesday. "We are coordinating with law enforcement."

    The ransomware gang, which has declared its support for the Russian government's illegal invasion of Ukraine, this week bragged it "hacked some of the company's servers and passed a large amount of data inside them without their knowledge." It's now trying to sell the stolen data for about $64,000, or nearest offer "depending on the amount of data you want," Stormous wrote on its website where it leaks pilfered information.

    Continue reading

Biting the hand that feeds IT © 1998–2022