Caravan and Motorhome Club's website down! (1 Viewer)

[jockaneezer]

In the light of the Horizon scandal, has anyone started a petition asking for Grenville to hand back his OBE ?

 

[starquake]

I am curious as to how The Registers knows they have reported themselves to the ICO. If they have had a security breach then not reporting themselves would be not only criminal but criminally stupid. You can't hide this stuff and they will always find out.

I suspect it's an insider (possibly at ICO) talking to the journalist. Some government departments are very leaky on such matters and it wouldn't surprise me at all for them to have an insider at ICO.

 

[FrankNicklin]

I suspect it's an insider (possibly at ICO) talking to the journalist. Some government departments are very leaky on such matters and it wouldn't surprise me at all for them to have an insider at ICO.

Journos will pay big for such a scoop.

 

[starquake]

We use a reputable cloud backup service that if we were using AWS instead would cost us $118,000 a year. Thats an awful lot for a small company.

Yeah, but I've dealt with it other way. For disk iop performance of an app I worked on last year that was done previously on premises it needed extreme read and write performance (roughly speaking 40Gbit a sec read/write to 100 or so compute nodes with no contention concurrent across a ~ 2Pb dataset) and would be a $30 million storage array on prem to extend to the requirement (that was the figure from a RFP to many storage vendors to meet the requirement).. In (one public cloud) in the case in question, they've got the same storage for around $400k per annum (but the service they are using is a beta service). There is no requirement in either case for backup/recovery of any sort given the data is recoverable elsewhere, just extreme iop performance that is well beyond what normal cloud buckets offer (RPO measured in a month timescale).. Unsurprisingly the client moved the app in question to cloud given the higher costs on-prem, it's finishing go-live for this March as it's just passed all the compliance hurdles. Point I'm making is cloud can work for some clients and be cheaper ... even if you own the storage and datacentre if you are on the extremes of the performance spectrum..

Cloud backup however can be very cost effective if you don't need to access it much using archive storage, (AWS's glacier and other clouds equivelent) but it's expensive as all hell if you need a fast guaranteed recovery with 5 9's. I do totally conceedthat if you have lots of storage (ie many Tb) with a small iop requirement it's almost always cheaper to to do on-prem with your own disks, given 18Tb is what £200 or less a disk now. That would be why I still reccomend private co-location to some clients as it's sometimes cheaper.

 

[benellioldman1]

A previous warden told me it was ferry booking software but neither here nor there!

I have gave up using the ferry booking page a few years ago when they updated their website, it was a nightmare. I complained but after several attempts complaining online and over the phone I just gave in. I am looking at alternatives this year.

^{_{Subscribers  do not see these advertisements}}

 

[Otter Spotter]

Just had this fed through to me

Major IT outage denies happy campers their caravan holidays

1 million members still searching for answers as IT issues floor primary digital services

www.theregister.com

So it is a security breach I hope card details hasn’t been accessed it will cost them a fortune

 

[Gizmouk]

Just had this fed through to me

Major IT outage denies happy campers their caravan holidays

1 million members still searching for answers as IT issues floor primary digital services

www.theregister.com

So it is a security breach I hope card details hasn’t been accessed it will cost them a fortune

 

[FrankNicklin]

Just had this fed through to me

Major IT outage denies happy campers their caravan holidays

1 million members still searching for answers as IT issues floor primary digital services

www.theregister.com

So it is a security breach I hope card details hasn’t been accessed it will cost them a fortune

Their Privacy policy says they are PCI DSS compliant and do not store card details but they do store bank account details. See my previous post with screenshot of their privacy policy.

 

[Coolcats]

Just had this fed through to me

Major IT outage denies happy campers their caravan holidays

1 million members still searching for answers as IT issues floor primary digital services

www.theregister.com

So it is a security breach I hope card details hasn’t been accessed it will cost them a fortune

whilst some systems do many will just be held by someone like Stripe, we use a cloud system and no card details are help by that just by stripe, so if they were sensible our card details 'should' be ok

 

[Otter Spotter]

whilst some systems do many will just be held by someone like Stripe, we use a cloud system and no card details are help by that just by stripe, so if they were sensible our card details 'should' be ok

I just would not put it past them to hood on to card details, they seem to ignore what is right for members on other matters

^{_{Subscribers  do not see these advertisements}}

 

[FrankNicklin]

I just would not put it past them to hood on to card details, they seem to ignore what is right for members on other matters

Unlikely as they use a 3rd party payment processor, but not impossible. Their privacy policy says they don’t hold card details and that they are PCI DSS compliant. They do however hold bank account details.

 

[Gellyneck]

Well, looks like the tech guys are making some progress, we just got our automated invoice email for our stay, which means that wardens must have access to the system, guess they are in soft relaunch mode. Hopefully everything goes well for them,

Yip, ours arrived last night as well however it doesn't agree with what we actually paid!!!

 

[JustifiedAncient]

I see the CAMH Director General has now issued a statement confirming that it is a cybersecurity incident.

 

[hja]

Within the last hour the CAMC Director General has placed a long statement on the CAMC Facebook site explaining that it was a cyber security issue. They were apparently told not to tell anyone. I am sure someone else with better skills than me can copy and post the statement here.

 

[hja]

Within the last hour the CAMC Director General has placed a long statement on the CAMC Facebook site explaining that it was a cyber security issue. They were apparently told not to tell anyone. I am sure someone else with better skills than me can copy and post the statement here.

Thanks. Overlapping posts.

^{_{Subscribers  do not see these advertisements}}

 

[Gellyneck]

The text of the Facebook update -
+++++
I wanted to apologise that you have not been able to access any of our digital channels or speak to our contact centre over the past few days.
On Saturday 20 January 2024 we were informed by leading forensic experts that the Club has been the victim of a cyber security incident. Once the incident was detected, we immediately deployed best practice response protocols and containment measures, including taking all systems offline and implementing enhanced monitoring technology. By taking swift action we greatly minimised the effects of this cyber security attack.
The same day we notified the Information Commissioner’s Office (ICO); a standard procedure in these incidents.
Advice from our cyber security experts was to not raise public awareness of the incident and to allow their forensic team to carry out the necessary investigation to understand what systems (if any) may have been accessed.
We understand the lack of communications will have been frustrating for members but we have followed advised procedures in order to safeguard members until the full facts were known and to help avoid any potential further issues.
Our internal and external specialist teams are working around the clock to understand the extent of this incident. We are working to establish whether there was any unauthorised access or exfiltration of members’ data. However, we believe the correct thing to do now is to notify you of the incident.
We will of course alert individual members as soon as possible if any breach of member data is established.
At this time we are working with our IT partners, with an abundance of caution, while in the process of restoring all of our systems slowly, methodically and carefully to safeguard security.
This type of incident is a reminder that we must all remain vigilant to any unusual or spurious requests for personal details. Please note that we will never contact you unprompted to ask for your account details or security information, and we will never ask you to disclose your passwords. Data security is of paramount importance, to us, our members, guests and suppliers.
I would like to offer our most sincere apologies for the inconvenience this has caused. Your Club teams are working in tandem with our dedicated and expert partners to understand better the details of this incident and to restore the Club systems.
We greatly appreciate the many comments of support and understanding that members have expressed.
+++++

 

[starquake]

The text of the Facebook update -
+++++

Would have been better if they had beat the media to the reporting on this. Was pretty clear last night from the (likely ICO) leak on theregister what was going on. I also don't entirely believe the media blackout advice here, as it's not something I've seen done regularly (having been involved in far larger incidents for far larger clients than CAMC are) -> I do wonder who is doing their forensics in this case.

That said, like others I think there may be little to worry about, yes they have my bank account and sort code, but apart from that it's quite limited in the data they store on me, and actual credit card details are not stored by them from my use in last year (they used Worldpay).

Now waiting to see the outcome of their (forensic) investigations as I doubt they'll have the in house skills for this.

 

[sgl5gjr]

Just seen that on the CAMC site home page...... never used to happen under the older fully working never failed booking and membership system..... but they'll not learn from this

 

[Gizmouk]

Just read the statement on the CMC Facebook page.
I probably laughed a little more than I should, but hey ho, gives them an excuse to increase prices again.

 

[FrankNicklin]

Just seen that on the CAMC site home page...... never used to happen under the older fully working never failed booking and membership system..... but they'll not learn from this

You cannot say this never used to happen under the old system. Companies far far bigger than CAMC have suffered serious cyber attacks, they are getting more and more sophisticated as time goes on. There is absolutely no guarantee it won't happen again even with new protections and processes in place. This could have quite easily happened under the old system.

^{_{Subscribers  do not see these advertisements}}

 

[Gizmouk]

You cannot say this never used to happen under the old system. Companies far far bigger than CAMC have suffered serious cyber attacks, they are getting more and more sophisticated as time goes on. There is absolutely no guarantee it won't happen again even with new protections and processes in place. This could have quite easily happened under the old system.

Both the website and App are bug ridden. Log in credential requirements are woefully simple, and with no option for Two Factor Authentication. If the customer facing interface is simple and has issues, then doesn't hold out much confidence on what's happening behind the scenes

 

[FrankNicklin]

Both the website and App are bug ridden. Log in credential requirements are woefully simple, and with no option for Two Factor Authentication. If the customer facing interface is simple and has issues, then doesn't hold out much confidence on what's happening behind the scenes

That may be the case, but there is no way to tell that this cyber attack could not have happened to them before.

If the updated app and the site have weak authentication, then yes that could be used as an attack vector. At the moment we don't know what happened so it is all speculation.

 

[Coastal Cruiser.]

Should have had the system I went on the other day where i had to prove I was not a robot took me about 10 attempts to get past

 

[seasideBill]

That said, like others I think there may be little to worry about, yes they have my bank account and sort code, but apart from that it's quite limited in the data they store on me, and actual credit card details are not stored by them from my use in last year (they used Worldpay).

So, just to clarify my understanding of that…. if you book a site, pay the deposit and opt to pay the balance on arrival, CAMC do not hold card information in the intervening period?

 

[FrankNicklin]

So, just to clarify my understanding of that…. if you book a site, pay the deposit and opt to pay the balance on arrival, CAMC do not hold card information in the intervening period?

CAMC never hold card details, they are processed by I think World Pay. If the deposit is all thats paid, then that financial transaction has been and gone and the card details not held. If you are paying the balance on arrival I presume you pay at reception or via the App. According the their privacy Policy they do not hold card details but do hold bank account details. They state that they are PCI DSS Compliant.

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

I also don't entirely believe the media blackout advice here, as it's not something I've seen done regularly (having been involved in far larger incidents for far larger clients than CAMC are) -> I do wonder who is doing their forensics in this case.

Me neither. I always advise my clients to be up front with their customers.
Once a system has been taken offline the hackers cannot do anything more to it. So telling your customers is not going to trigger the hackers to do anything other than what they would do with any of the data anyway.
I suspect it was a PR move in the hopes they could get it under control first. But even that doesn't make sense.

Being up front is a 50/50 chance you will upset, annoy or pee off customers. Not informing them is a 100% chance you will upset, annoy AND pee them off.

 

[Gromett]

From Twitter. Probably the same text as the facebook one but just in case.

 

[starquake]

So, just to clarify my understanding of that…. if you book a site, pay the deposit and opt to pay the balance on arrival, CAMC do not hold card information in the intervening period?

They won't as based on my actual use of the system - the people that DO hold it are Worldpay, and CAMC just hold a transaction reference to ask them to bill the remainder. Thats based on my last payments for both a site and their clubfest event. Once the payment completes, the link between that transaction and CAMC is wiped so they can no longer bill you.
You can usually also ask Worldpay to keep the number for future transactions, "storing your card on CAMC" -> but that doesn't actually do that as you would think, it stores a unique to CAMC reference for your card to their systems rather than the card itself... the only one able to use that reference being CAMC themselves (as it can only be used from their webapp, and not hackers one). Thats how it works, but it's a bit more complex behind scenes... when you actually hit submit your payment goes to Worldpay then redirects back to CAMC page, so it all looks like it's CAMC, even if it isn't actually their systems you interacting with. I would stress there is no way their payment processor is breached as Worldpay is used by so many people there would be news globally about websites failing right now, as I think about 30% of all sites I visit use same payment processor...

It's how all sites work this way, even large people pass to the big 3-4 transaction processors these days as the cost of compliance is too much to do otherwise (PCI compliance I mean). The technical reason is if you do store the actual card details you put your entire app/infrastructure in scope for PCI and no-one wants to do that given the cost of compliance is "very expensive". I know actual banks who avoid this and they technically can be ruled not in scope for PCI in first place (for a technicality).

 

[Phill D]

CAMC never hold card details, they are processed by I think World Pay. If the deposit is all thats paid, then that financial transaction has been and gone and the card details not held. If you are paying the balance on arrival I presume you pay at reception or via the App. According the their privacy Policy they do not hold card details but do hold bank account details. They state that they are PCI DSS Compliant.

Their new method of payment is card for deposit , retain details to take the balance on the morning of arrival. Payment via the office on arrival is discouraged.

Edit; cleared up by starquake above. Thanks

 

[Geoff185]

Email just come through from club that they have been subjected to major security attack and are working through to identify level of breach. They took complete site down as soon as it was identified.Should know impact in next couple of days

^{_{Subscribers  do not see these advertisements}}