Attention!!! Hannants Hacked

StephenLawson · 27 October 2010, 06:16 AM

A good friend of mine in France just posted this to me.

"I don't know if you are aware of the fact that Hannants had it's credit card database hacked in some way and that many customers (me included it seems) have had their credit card number used by criminals online.

Here is what Hannants have sent to some of their customers (their website is down for the moment):

'Dear Customer

We are very sorry to have to tell you that a number of customers who have used our website have had their card details stolen and used by criminals.

ALL CUSTOMERS THAT HAVE ENTERED CARD NUMBERS ON OUR NEW WEBSITE PLEASE CHECK YOUR ACCOUNTS FOR SUSPICIOUS CHARGES OR ATTEMPTED CHARGES. If you see any please contact your company that issued your card.

At the moment no one is sure how this has happened. There are several internet security firms investigating everything and we will keep you all updated as soon as we can.

There is no sign of any intrusion into the server where the card number and
expiry date information that we keep is encrypted*. The CVV number is not
stored.

After looking at the information we have received we think this mainly affects
some customers who have sent us an order in the last 2 weeks though there are 3 from September.

We have been contacted by about 40 customers so far but are not sure how many others have had their cards compromised but have not told us yet. If you know your card has been compromised PLEASE tell us. Please send us as much information as you can as soon as you can. We need as much information as soon as possible.

Please look out for small 'insignificant' test charges of under $5.00 followed
by larger charges of varying amounts. Charges have originated from different
countries and in different currencies.

Until we have found out what has caused this problem and it has been fixed we have closed the website. None of the experts can find any problems with it but until the problem is resolved we prefer not to take any risks.

We have deleted ALL card numbers from the website database. We are aware that a few of you wanted access so you could delete your details but we have done this for everyone.

Paypal. We have been asked why we do not accept it. There are 2 reasons. Firstly when we started work on the new website 4 (four) years ago we could not get it to work with the fully stock controlled warehouse that we wanted to run. We did some trials but it took too long for payments arrive in our bank account which would seriously have delayed the dispatch of orders. Things have now improved. Secondly it was too expensive. 3 times the cost of handling Visa and Mastercard.

All our payments are now handled by Sage pay, a large British firm. Recently
they have started working with Paypal and our website designers had been doing some work to incorporate it into the website. We are going to speed up the work on this and try to get it incorporated quicker.

We will re-open the website as soon as we can but will not be rushing into it.

Thank you for your help and understanding.

ALL CUSTOMERS THAT HAVE ENTERED CARD NUMBERS ON OUR NEW WEBSITE PLEASE CHECK
YOUR ACCOUNTS FOR SUSPICIOUS CHARGES OR ATTEMPTED CHARGES.
If you see any please contact your company that issued your card.

* This data is stored so that customers do not have to enter it each time they order and so that we can run a back order service. ' "

RLWP · 27 October 2010, 06:55 AM

Dammit. That's probably why my credit card has been stopped.

Thanks for the heads up

Richard

Widmerpool · 27 October 2010, 07:36 AM

Thanks for the heads up Stephen. I just got a call from my credit card's security office saying there'd been a suspicious charge by an unknown company, "MTB&D", for $2.71 on my account. I bought something from Hannants several months ago, so this is probably linked to their being hacked. Apparently the the small initial charge of $2.71 was a test to see if the transaction would go through. My credit card has been cancelled as a result. It would be just my luck if the new WNW releases come out before my replacement card arrives.

Widmerpool

RLWP · 27 October 2010, 07:44 AM

Just to confirm that this is real, our card has been stopped because someone tried to take over the account. Fortunately they failed the security check as they were aiming to transfer several thousand ponds from our account, and change the address and contact details.

Do check your account if you have used the new Hannants website as it seems that whoever does this could have your card number, name, address and possibly more.

Bugger!

Richard

Scimitar · 27 October 2010, 08:44 AM

I was also victim in that affair.
Credit card canceled...

Edward Pinniger · 27 October 2010, 08:52 AM

Sounds serious!

I can only count myself lucky that I haven't ordered from Hannants since they changed their website (my last order was over a year ago) so my card details aren't on their database. I was planning on ordering some bits from them only a couple of weeks ago but never got round to it, glad I didn't now...

THE GREAT WALDO · 27 October 2010, 10:58 AM

Here´s some interesting stuff on the sage company Hannants uses.
Sage Pay says sorry for upgrade shambles ? Channel Register
The British banking system is pretty archaic compared to here in Europe. I´m a Brit but have been living in Europe for some years and have found any kind of payment transactions in Europe to be a doddle and a helluva a lot cheaper. A lot of my suppliers send me my orders before I have sent payment, I´d be curious to see what would happen if I tried that in blighty. I hope everyone gets their payments back and Hannants get it sorted out as they are a great company.
Cheers

Andrew

jamo · 27 October 2010, 11:23 AM

I received that email, immediately checked my credit card account online and found that an unauthorised charge of NZ$556.70 from a merchant called "BSA NUTRITION - DOMONT - FR".

At the same the transaction came to the attention of my bank who sent me a warning and asked me to confirm if was genuine. I forwarded the email from Hannants to the fraud section of the bank and they reversed the charge and closed my VISA credit card as a precaution. There will be no cost to me, just a little inconvenience waiting a few days for the new card to arrive. Fortunately I have a seperate credit card for internet purchases, so the family card card has not been affected.

I had my card details on Hannant's new website and had made an order in the last couple of weeks (a very nice little 1/72 Short 827 floatplane from Karaya).

Grapeape · 27 October 2010, 11:45 AM

I too recieved that warning e-mail from Hannants, and indeed had recently bought a few things from their website. Sure enough, my credit card company called me this morning, and directed me to their fraud department online. Two usual re-ocurring charges from last Friday, no problem - then roughly $2,300.00 of charges this morning, 10/27/10, from Wal-Mart, Babies R Us, and several online electronics stores 0____0;;;;;

Fortunately, it was caught, my card killed, and a new one will be issued in 7-10 days....here's hoping whatever group was behind this will be caught, but wouldn't be surprised if it never happens...hackers know how to cover their tracks!

Trackpad · 27 October 2010, 12:49 PM

I'll be at Telford for the UK Nationals. Two days ago, I placed a small order with Hannant's for collection there. Yesterday I got the first Hannant's warning, checked my account, and contacted my card issuer. Looks like I've ducked the bullet: no transactions, account fully confirmed, and I've placed a temporary block on my card. If anyone tries to use it over the next few weeks, the alarms will go off.

Like others, this card is oriented only to the hobby and my extremely tiny "hobby" business: my "real" card is safe, and that's what I will use on my visit.