On 16 November we became aware of a serious data breach that had compromised the personal details of a number of customers.
We take customer security incredibly seriously. It’s imperative to us that you, our customers, are supported and protected to the greatest of our ability.
Answers to many of the questions our customers have asked are listed below. If you would like to discuss any concerns you have please contact us. You can email firstname.lastname@example.org or call us on 020 7183 9818.
What personal information has been compromised?
The complete list of data that has been compromised is:
Credit/debit card number
- Credit/debit card CVC (the three or four digit code on your card)
- Credit/debit card expiry date
- Full address (including postcode)
This is the full list. Other personal information including name, email address and password were not affected.
Will I get compensation?
If there has been any fraudulent transactions on your card contact your bank. They will process reimbursements to your account. All compensation will be handled with your bank.
Why wasn’t I notified of this earlier?
Affected customers were contacted as soon as we were able to identify that an attack had been made and were able to identify which customers were affected.
Detailed timeline of events
On Friday 13 November we identified 3 customers whose subscription payments to us had failed as a result of suspected fraudulent payments being made on their cards. There was no reason at this stage for us to believe this was caused by us but it prompted us to investigate further. On Friday and over the weekend we were unable to identify any security issues. However, on Monday 16 our technical team identified two pieces of malicious code that had been placed on our systems. We immediately fixed the issue and identified a timeline for the attack. We used this timeline to identify customers who are affected. As soon as we were clear that an attack had been made we notified customers of the incident and any further actions we believed they should take.
What was the breach?
Our investigations identified two pieces of malicious code that had been placed on our server and in our database. These codes were transferring personal data from our secure payment pages to a another file on our server which was subsequently sending the data to an external site. Credit card details were not, and never have been, stored in our database or elsewhere on our server.
As soon as this code was identified we removed it and launched a more detailed investigation into the security of our payment systems.
Our payment pages continue to be served securely over HTTPS and our credit card processing facility, Stripe heavily protects and encrypts all customer data. Before data is sent to Stripe it is tokenised (as it always has been), meaning that even if external access were gained to the token that contains your data it could not be accessed in a format usable by an attacker.
How did the breach happen?
With an attack of this nature there are two possible causes. Either someone with approved access placed the code there, or an external attacker gained access to our systems and did the same. Given the level of access and knowledge of our systems required for this attack, and our existing security measures, we are focussing our investigations and follow up actions on the possibility of an internal attack.
At this time we do not believe that any external access to our systems was gained, nor do we believe that the type of data obtained could be extracted through an external attack.
However, we are keeping an open mind and continue to investigate all possibilities.
What happens now?
Our first step has been to review and limit access to our systems. Only a limited number of individuals now have access to our servers and databases and all relevant passwords and access controls have been changed. Within the EdPlace team only two people have access to these services. External contractors continue to require access - this access is limited to three trusted individuals.
We will be appointing an external security consultant to make a full review of internal security processes and will be implementing their recommendations as a priority.
We have also undertaken a review of any external vulnerabilities. We believe that our systems are secure from any external threats but are continuing to add further layers of security on top of our existing infrastructure. Our payment pages continue to be served securely over HTTPS and using an Extended Validation SSL certificate provided by Digicert. We continue to use Stripe as our payment gateway, which heavily protects and encrypts all customer data. Before data is sent to Stripe it is tokenised (as it always has been), meaning that even if external access were gained to the token that contains your data it could not be accessed in a format usable by an attacker. Credit card details are not, and never have been, stored in our database.
A further external review of overall site security will also be undertaken.
How do I report fraud?
You can do so by contacting Action Fraud (the National Fraud & Cyber Crime Reporting Centre). Please visit http://www.actionfraud.police.uk/ for details.
How do I update my details?
To update your card details you can log in to your account, navigate to the My Subscription page and then click on the ‘Update card’ link. The system for updating credit cards is secure.
A full explanation is contained in this helpdesk article.
Am I affected?
We believe that the attack is limited to customers who signed up for our service between 19 August 2015 and the morning of 16 November 2015. If you were an existing customer and updated your card details during this period you are not affected. If you signed up before or after this period you are not affected.
If you would like us to confirm your sign up date please contact us by emailing email@example.com or calling 020 7183 9818.
Do I need to cancel my account?
No. If you have updated your card details with us then your subscription will carry on as normal.
If your card has been blocked then you are likely to receive an email from us about failed payments. Once you have updated your card and the payment is received you will no longer receive these.
If you would like to cancel your account you can follow the instructions here.
Are you PCI compliant?
Yes. We use Stripe to process payments and by using their API we ensure that credit card details are not stored or processed on our servers. Stripe themselves are PCI Service Provider Level 1 compliant, the highest possible level, and have additional security measures in place on their own servers.
I have been trying to contact you by phone but can’t get through. How can I speak to someone?
We are aware that many customers have tried to contact us by phone. We have a large backlog of email communication from customers. We are bringing in additional customer service representatives to help us handle the high level of communication we are receiving.
In the meantime the most reliable way to contact us is via email (firstname.lastname@example.org). We are reviewing and responding to these as quickly as we can.
If you would prefer to speak to someone directly and can’t currently get through please leave us a voicemail and we will return your call as soon as we can.