Planet Ice, which operates 14 ice rinks up and down the UK, has revealed that criminal hackers managed to break into its systems and steal the personal details of over 240,000 customers.
The first hint most skating and ice hockey fans saw that there could be a problem occurred at the start of last week, when their attempts to book tickets online were met with a terse message explaining that Planet Ice’s servers were “experiencing unplanned server downtime.”
In the following days, some customers reported receiving an email from Planet Ice that revealed it had discovered its “Ice Account” system had been breached, giving unauthorised parties “external access to the non-financial areas of the system.”
According to Troy Hunt’s HaveIBeenPwned project, the data from 240,488 customer accounts is now in the hands of hackers, including:
- Dates of birth, names, and genders of children having parties
- Email addresses
- IP addresses
- Phone numbers
- Physical addresses
Although it’s obviously a good thing that payment information was not accessed by the hackers (that, thankfully, is handled by a third-party processor), it’s easy to imagine how the above information could be exploited by scammers.
For instance, the passwords were stored as MD5 hashes (a method which is considered old and outdated), and so it’s not just a case of ensuring that you change your Planet Ice password but also change your login credentials anywhere else where you might have been using the same password.
Furthermore, fraudsters might attempt to contact Planet Ice customers – using the personal details garnered from the compromised accounts to appear more convincing – in an attempt to phish further information from unsuspecting victims, or point them to bogus websites, or trick them into opening malicious attachments.
Planet Ice says that it has notified the Information Commissioner’s Office (ICO) about the breach, and has called in external cybersecurity experts to assist it with its investigation and response.
The company has warned customers that they should treat further emails they might receive about the security breach as “suspicious” and are encouraging anyone wishing to verify any communications to contact their Data Protection Officer, who is named “Ross”, at [email protected].
Some Planet Ice customers have turned to social media, angry that the first they heard about the security breach was from media reports or HaveIBeenPwned rather than from the company itself.
Which seems a little unfair on poor old Ross, who must be hacking a hell of a time sending out those 240,488 notification emails one-by-one.