A game rental service in the United Kingdom may have been subjected to an online attack that has compromised credit and debit card information. Boomerang Rentals, which sprang to prominence in 2012 when Amazon’s LoveFilm service ceased to provide video games for rent, received a number of messages over the weekend from concerned customers who believed that the service’s security measured may have been compromised after unauthorized payments were made through credit cards associated with accounts from the website. This was followed up by threads on both Reddit and NeoGAF where multiple users reported similar problems, all with the common theme that the cards used had all been associated with Boomerang Rentals at some point in the last two years.
Users have reported unauthorized payments starting from January 4 and some have even reported problems from as recently as yesterday. It is important to take into account the fact that only a small number of customers have reported problems so far but the evidence does point towards the information having been stolen from that rental service’s website. If you have had an account with the website or are a current user you should check your bank statements for any suspicious activity and if you have any concerns can contact both your bank and Boomerang Rentals.
The company has also released a statement dealing with the steps they have taken over the past few days to investigate a possible breach. It states:
By Monday morning, we had been contacted directly by a small number of additional customers. We contacted the fraud department of our merchant bank, but they knew of no issue. We also contacted our payment gateway provide and they also had no concerns. They are assisting us in a consultative capacity.
To date we have not found any evidence of a breach of our systems. We are continuing to investigate and continue to take this issue very seriously.
We would not ever wish to be the source of customer card information being compromised, so are making this change urgently. This work will take about a week, and we have removed the card details in their encrypted form, from our online system, and are removing the facility to update or provide card details until the work is complete.
Subscriptions will be processed daily each weekday morning under further supervised controls. Once the new system is in place, we will be able to collect payments through the token system. We will also investigate the possibility of introducing PayPal as a form of payment as well, to offer our customers further choice.