Fitness website PayAsUGym discovered that its servers were hacked after security members found partial card numbers and home addresses on a public website. The company, which sells passes for gyms around UK, admitted that the financial details of its members were stolen during the cyber-attack. About 300,000 customer details are believed to have been stolen.
Customers were advised to cancel their credit card if they suspect their details to be stolen. The company alerted its members about the security breach through an email, stating that one of the company's IT servers was accessed by an unauthorized person.
The company also recently clarified the confusion over earlier claims that PayAsUGym did not hold any card details. The company earlier said in an email that although the email addresses and passwords were accessed, no financial or credit card information were held by the company.
Several customers' credit card details, including their 10 digits of their card number, expiry date and home addresses, appear to have been published online.
Jamie Ward, PayAsUGym's chief executive, said customers could contact the company directly to find out the exact information they hold.
"We've been completely clear with every customer that has contacted us since our original statement on what we hold," he added.
The website said that it used a "tokenized system" for customer payments. This means that the card details stored at the payment gateway, not on its servers.
Security expert Troy Hunt, who tracks breached websites, said that he came across several people's details online, and urged the customers to cancel their cards right away. He said that the first six digits and last four digits had been published on a website, presumably by the perpetrator.
He further explained that fraudsters can use computer algorithms to work out complete credit card details within seconds.
"PayAsUGym has stated that there is no card data at risk, yet here we have a screen grab of a large amount of card data. There's some transparency lacking here," he added.
After consulting with cyber security professionals, the company said that it had started using new servers.
Join the Conversation