back to article Cinema voucher-pusher tells customers: Cancel your credit cards, we've been 'attacked'

Worker perks-flinger Sodexo has told a number of customers to cancel their credit cards following "a targeted attack" on its cinema vouchers platform, Filmology. The scheme, which provides UK employee rewards via discounted cinema tickets, has also taken its site down "for the foreseeable future" in order "to eliminate any …

  1. Valerion

    Happened to me

    I had an email from Sodexo in February, a few days after my card got used for a few fraudulent transactions.

    Luckily Natwest were on the ball and blocked the card before I even realised.

    Edit to say that this was done via the Tastecard Plus site - I had no idea who Sodexo were or that they were the one providing that service.

  2. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: UK Law Must Introduce Guest Checkout

      Regrettably most companies treat PCI-DSS as an annual check-box exercise, cause they see it as a distraction and road block. Where if they used it as its intended, i.e. methodology / framework that would deliver a more hygienic practises, whilst this will not prevent a breach, it will speed up detection and remediation.

      If you work for a company who's considering taking credit card payment.. take my advise, use a 3rd party payment services provider, that you can redirect the customers too. It will reduce what you have to do to be PCI-DSS compliant from 50-100 pages demands, down to about 10... (you'll fill in a SAQ A, rather than SAQ A-EP).

      1. Anonymous Coward
        Anonymous Coward

        Re: UK Law Must Introduce Guest Checkout

        Err, erm this says more about your knowledge of PCI:DSS than the incident.

        You can still be required to complete SAQ A-EP even if you do NOT handle card data either in transmission or at rest.

        The one to avoid is SAQ-D if you need this, then you need to ask yourself if you need to review your infastructure design...

    2. Pascal

      Re: UK Law Must Introduce Guest Checkout

      You don't even need guest checkout, just don't save credit card info after payment -- or at the very least, let the customer decide if you should "remember" that credit card.

      1. PeeKay

        Re: UK Law Must Introduce Guest Checkout

        Simple solution for this already exists - use the credit card for the first time only, storing only the token returned by the payment processor - and then use that token for future payments.

        I implemented a system like this in 2007...

      2. Anonymous Coward
        Anonymous Coward

        Re: UK Law Must Introduce Guest Checkout

        Just use Google pay. One time card numbers every time. The bank cross reference and then dispose.

    3. Cuddles Silver badge

      Re: UK Law Must Introduce Guest Checkout

      "The UK must be changed to allow for a guest checkout, such that your card details are NEVER stored on their systems"

      From the article:

      "bank details were stolen from the payment page"

      Demanding changes to the law to avoid storing details isn't going to help when storing details didn't have anything to do with the issue in the first place.

  3. Florida1920
    Holmes

    Outsourcing a service to a third party

    A brilliant way to save money and increase shareholder value.

  4. jms222

    Kill all middleman companies

    Wouldn't it be better to ban all voucher, Christmas hamper and similar middleman companies ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Kill all middleman companies

      Especially when a recurring topic in consumer protection forums is "We bought/were given a voucher by <insert defunct company name here>. What are our rights ?"

      A: "Back of the queue, sucker."

      Personally I think it's a little ... parsimonious of people to give vouchers rather than the best voucher of all ... cash.

    2. Anonymous Coward
      Anonymous Coward

      Re: Kill all middleman companies

      Used voucher company once for a cheap meal voucher, a month later phoned restaurant to book and they were still called the same name but apparently under new ownership so weren't honouring the vouchers. Had to get a refund. Never again.

  5. Neil 32

    Interesting... We have one of these corporate perks schemes but through LifeWorks. They also like to fling cinema vouchers (why are cheap cinema tickets such a popular "perk" for these flingers!?) so just did a quick web search to see if there is a link. Seems that sodexo is a customer of LifeWorks, so is there some sort of circular benefit going on here where sodexo provide the cinema perks bit to LifeWorks and they provide other perks to sodexo? If so, are LifeWorks customers who have used the cinema perks at risk? How deep does this run? :-/ (Thankfully, I can't remember the last time I went to the cinema, so shouldn't be affected if it does extend to LifeWorks!)

    1. katrinab Silver badge

      "why are cheap cinema tickets such a popular "perk" for these flingers!?"

      Does anyone ever pay full price for cinema tickets? How does the price at LifeWorks compare with the discounts available elsewhere?

      1. Anonymous Coward
        Anonymous Coward

        Does anyone ever pay full price for cinema tickets?

        For some reason that sparked a return question about buying full price sofas from DFS ....

    2. John Brown (no body) Silver badge

      "(why are cheap cinema tickets such a popular "perk" for these flingers!?)"

      These days, being sent to the cinema is a punishment, not a perk. Unless you are lucky enough to have a nice, local and independent cinema that still cares about the customers.

      1. Martin an gof Silver badge

        "(why are cheap cinema tickets such a popular "perk" for these flingers!?)"

        These days, being sent to the cinema is a punishment, not a perk. Unless you are lucky enough to have a nice, local and independent cinema that still cares about the customers.

        Never quite understood how much the big chains charge, given that our small, local(ish) cinema can get all the big releases, provide just as much screen and sound as a big chain cinema (though no Atmos or Imax) and yet charge a flat rate of £2.50 (weekdays) and £3.50 (weekends). They even have a 3D screen, though films don't stay long in there.

        M.

        1. Eaten Trifles

          Even before I clicked on your link I thought "oh, that sounds just like the Maxime."

          Is there another cinema as good anywhere else in the UK?

    3. Steve the Cynic

      (why are cheap cinema tickets such a popular "perk" for these flingers!?)

      I'd say that they are expensive rather than painfully expensive.

      And it's because it's inexpensive for them to offer, not prone to refunds owing to companies changing ownership, and so on. And people do still like going to the cinema. Whether that makes those people foolish is a question for another pub.

  6. tiggity Silver badge

    TLS version?

    If they used 3rd party payments companies they might still have hassles. For a long time a lot of CC APIs were accessible via TLS 1.0 - there has been a big push over the last year or so to force people to use more secure versions of TLS (and by rights TLS 1.0 should be dead already in CC APIs but deadline for removal was extended, now July 2018 IIRC)

    So they could have been trying to do the right thing and using 3rd party card people but have been vulnerable due to TLS 1.0 usage (there are known exploits)

    Purely guesswork (they might have done it all in house), but does show that still need to pay some attention to security even if another company doing card payment heavy lifting on your behalf

    1. Anonymous Coward
      Anonymous Coward

      Re: TLS version?

      I think you'll find you can get a dispensation after that in certain circumstances...

  7. Alan J. Wylie

    This was public back at the start of February

    I saw a report about this and sent an e-mail containing the following link reporting a Filmology breach on 01-Feb-2018.

    http://latest-updates.co.uk/48OZ-6G27-6C2T0OLODC/cr.aspx

    Twitter link

  8. Anonymous Coward
    Anonymous Coward

    Hard for customers to swallow this?

    Par for the course if you eat at a Sodexo canteen.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hard for customers to swallow this?

      At least you have some sort of canteen! Working in the "city", employers dont have to provide one because of the copious amounts of branches of EAT/Pret....which means a sandwich which Sodexo will sell you for £2.50 or less costs about £7 for the same ineddable crud......

  9. Martin Milan

    Where to record credit card data when dealing with a payment gateway...

    I work for a company that provides payment services to various customers, many of whom are household names...

    When we deal with card data we have a very simple, delightfully inflexible rule. We do not store the full 16 digit card number, or the CCV in any sort of persistent medium. At all. Ever. Or, according the the MD, frankly else...

  10. Anonymous Coward
    Anonymous Coward

    CREST- who the hell are they

    looking at CREST web page, not sure they look trust worthy, no indication of who actually runs it, no staff mentioned, pretty much nothing to identify or show why they should be trusted.

    from a quick look,looks like a bunch of companies bunched togeather and made an org to give themselves a better reputation?

    1. Anonymous Coward
      Anonymous Coward

      Re: CREST- who the hell are they

      crest.com is toothpaste...you need to put a lot in a server to make it secure...unless you go for the PSU.

    2. Pier Reviewer

      Re: CREST- who the hell are they

      They’re a not-for-profit organisation (which is another way of saying the shit ton of money we get for doing very little goes to the C Suite pay bucket) that is meant to provide a degree of certainty that the penetration tester you’re paying for isn’t shit.

      Sodexo are clearly blame shifting here - “pen tester said it was fine”.

      Ofc Sodexo went with the cheapest option, which doesn’t mean the lowest day rate, it means the lowest number of days. Give a pen tester a couple of days and they’ll find the easy stuff, but that kind of time boxing leaves them very little chance of finding the truly interesting stuff.

      Then you’ve got scoping issues - PCI compliance testing is all about getting as little stuff tested as possible (because it’s faster, and time is money). A pen tester won’t touch an out of scope box, else it’s career over. If Sodexo didn’t provide sufficient info to allow the engagement to be appropriately scoped then a vulnerable box might not get tested (chances are the pen tester didn’t know it existed).

      Attackers on the other hand don’t give a damn about scope. They’ll go poking until they find something, then move laterally looking for exciting new toys to break.

      I’d wager the initial breach was via an unscoped box. I’m not certain, but it’s not uncommon.

  11. Anonymous Coward
    Facepalm

    Sodexo website was PCI compliant

    "While the merchant is ultimately responsible, that does not mean they caused the breach as it could be down to outsourcing a service to a third party, or a fault in one of the software products they are using. All will have to be PCI compliant [the payment card industry's data security standard]." ref

    "If you have any questions about this, please contact Filmology on ***** *** ***. ref

    Any idea as to the technical nature of the breach?

    1. Prst. V.Jeltz Silver badge

      Re: Sodexo website was PCI compliant

      "Any idea as to the technical nature of the breach?"

      It sounded to me like they (sodexo) had absolutley zero idea of even where the breach was nevermind how, and (ludicrously imho) seemed to think switching the website off would solve it for now.

  12. HWwiz

    PCI Breech

    So what were they doing retaining Card data anyway ?. You are NOT allowed to do this under PCI Compliance.

    Lets hope they get a severe spanking.

  13. Urelius

    By the sounds of the email they weren't actually storing the cc details in a DB, but they were being intercepted from the payment processing screen which was compromised by a miscreant!

    No details as to whether they were doing this in house or via a 3rd party processor though!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022