UPDATE: 6th February 2015
Investigation
The investigation is progressing with the authorised, Third Party specialist we have appointed.
This is at the forensic level and is detailed and painstaking work. As yet, they have not been able to find conclusive evidence of a breach or how this might have taken place. Of course, this could change, as the investigation progresses, and we will keep you informed on this.
Understanding what has happened and where, with regards to compromised card details is very important to us also.
Blanket Email
On 13th January, while the investigation was in its early stages, we did say that we would blanket email our customers, however, the next day, we were strongly advised by one of our Payment Partners not to do this and we were also aware of ICO Guidelines warning against “over-notification”.
We understand that this has disappointed many of you, and does seem to run against the idea of good customer service, however, we were so strongly advised against this course of action that we believed we should not send a Blanket Email.
We sincerely apologise that it has taken a while for us to address this. We were hoping to hear sooner and definitively, the results of the investigation, however, that has not been the case.
We are keeping customers who have asked to be kept informed, up to date via emails and have sent several bulk emails over the last 10 days.
New Payment Platform
Whatever the results of the investigation, in order to reassure our customers, we took the decision early on to move to a new Payment Platform, which provides even greater levels of security.
This is now live and we have started to process subscription payments using tokens only. We will be completing the Payment Platform work on the remaining site functionality over the coming week or so.
No full card numbers are stored on our systems, we just hold a token that we can use for future payments.
Every time, we process a payment, we simply present Sagepay with this token and they then match this up to card details stored securely on their systems.
We will hold the last 4 digits only, and expiry date for your card, for website administration, which is standard practice.
These are passed back to us, by Sagepay, when you update your card details, so the full card details do not enter our systems at all.
Updated Security Program
Although, the investigation is still ongoing, and even though, we will not store full card numbers, and in fact, no card details will be entered via our site, the appointed Third Party specialist will help us devise a plan for additional monitoring of website and system security, over and above our current PCI Compliance requirements.
This new platform and the additional security monitoring are part of our commitment to make renting and purchasing from Boomerang as secure as it possibly can be.
I am Legend
We emailed those registering for I am Legend on 28th January to confirm acceptance and we will be setting their account to this status next week and adding the first 400 points.
We expect that Bonus Games will go live around the end of February.
R - these clowns still think it is not their fault