Updated Worker perks-flinger Sodexo has told a number of customers to cancel their credit cards following "a targeted attack" on its cinema vouchers platform, Filmology.
The scheme, which provides UK employee rewards via discounted cinema tickets, has also taken its site down "for the foreseeable future" in order "to eliminate any further potential risk" to consumers and to protect consumers' data.
In an email to customers, seen by The Register, Sodexo Filmology said it had informed the UK Information Commissioner's Office and a specialist forensic investigation team.
"We would advise all employees who have used the site between 19th March-3rd April to cancel their payment cards and check their payment card statements," it said.
"These incidents have been caused by a targeted attack on the system we use to host our Cinema Benefits platform, despite having put in place a number of preventative measures with CREST-approved security specialists."
It seems the issue has been going on for several months, with one employee complaining on the Money Saving Expert forum in February that he had been the victim of attempted fraud.
£12k fine slapped on Postman Pat and his 300,000 spam emailsREAD MORE
He wrote: "After speaking to Filmology to ask exactly what had happened, I was informed that my bank details were stolen from the payment page and that the incident has been reported to the ICO. The hack on the payment page was carried out over 2 months and involved many accounts."
Benn Morris, founder of 3B Data Security, which forensically investigates credit card breaches, said: "In terms of who is at fault, that is unanswerable without looking at the investigation.
"While the merchant is ultimately responsible, that does not mean they caused the breach as it could be down to outsourcing a service to a third party, or a fault in one of the software products they are using. All will have to be PCI compliant [the payment card industry's data security standard]."
Advice to cancel cards might be due to either Visa, MasterCard or the card issuer having spotted a pattern of fraudulent activity and having alerted the merchant after suspecting they are the common point of purchase for fraudulent activity. "In which case they are taking a precautionary step by informing customers in this way," Morris said.
He added that taking the website down was one way of ensuring no further breaches occurred. "That doesn't often happen, but it might be in this case they are still taking payments through other means. Again, that doesn't necessarily imply a hack."
In a statement Sodexo said the breach only affected customers in the UK and Ireland. It said the company had previously been made aware of similar unlawful access to personal data on Sodexo Filmology platforms, and immediately notified the authorities, including law enforcement agencies, as well as affected customers.
"Since that incident, Sodexo has continued to carefully monitor and audit the site, and was thereby able to identify additional unlawful access to personal data that were used on certain Sodexo Filmology platforms." It added that the recent attack occurred despite having put in place a number of preventative measures with CREST-approved security specialists. It then took the decision to take the website down.
"We apologise for the inconvenience this has caused and are doing all that we can to provide access to these benefits via alternative means. We will share more information on this with our customers in due course." ®