Security breach at scan! Consider at least changing passwords

[ps3ud0]

I'm not here to do myself favours, I telling you what I know, this isn't good enough I know and your correct I don't have the seniority to have all the required information to post up a full explanation, nor do I have the inclination to have the capability to do so and further more never have I said I do or implied I do. I am a Sales Manager and even though this issue i'm sure has the potential or has affected sales, I helping where I can but can't help further with the explanation everyone is waiting for.

Regards

I think we all understand that (see my first post in this thread) and we do appreciate your effort, what I absolutely aghast at is the complete lack of movement by the powers that be - a quick timeline check just illustrates how poorly managed this has been by SCAN management

• 5 years ago - Your systems were hacked - affected customers/public not made aware of this at all, but SCAN were aware at the time and of the details taken and I presume the security hole was fixed.
• 1 month ago - Because a customer decided to raise a query about spam in these forums we found out about what happened 5years ago (Im not calling this a cover up), but not the extent or the method.
• 2 weeks ago - SCAN actioned the forced password reset on potentially affected customers (think this was done by join date before the date of the hack) and had communicated directly to affected customers, you also advised the amount of customers affected, but nothing further other than a statement would be made in a timely manner.

As you can see we havent really moved on much and Im surprised by this, the main issue for 99% of people here is the lack of transparency, now is the time to provide us details and assurances how the hack has been fixed, so in reality we need to understand what actually happened and what was put in place to prevent this (and other simiiar treats) and when. Ultimately youve left at least 20-odd customers in the dark over a period of 5 year with their basic personal details in unauthorised hands.

So right now you have to understand the original event and the time its taken (and the fact it was a customer that raised this) any trust we had for yourselves as a company has gone completely, but it was always going to be easily regained if SCAN took charge of this as soon as it came to light and made us aware of the details of the intrusion itself, how many were affected (which you have done) and the protocols put in place to prevent this in future in a timely manner, its been a month and as far as Im concerned times up. This was so easily fixable where I feel most would have given yourselves the benefit of the doubt if you had shown visible action...

Once bitten, twice shy springs to mind...

And Chris P to reiterate Im not having a go at you, Im more frustrated that theyve left you to 'deal' with this, when in effect there are people within SCAN whose responsibility and job description it is to adequately deal with this - its disgusting that theyve put you in this position because as said above all you are is the messenger.

ps3ud0

[sp4nky]

Yes, the messenger is a difficult position to be in, especially when you're being told to say half-truths and to make promises that will be broken. For example:

We are currently looking into this and will come straight back to you all with a full response..

One month later and the full response is still pending. In that time, I've had to order a new graphics card and while Scan would normally have been my first choice, the recent problems have resulted in me ordering from another retailer.

[rolfcore]

haven't received any spam emails. but this is worrying. Ill be changing my passwords as soon as i can just to be sure.

[Talifer]

Well I've heard nothing more since my last post on this subject. And there appears to be no more information in this thread. With only 25 people to update you would have thought more effort could have been made. I will be deleting my account and asking Scan to delete any information they hold on me, at least when I actually get the email that just got sent when I tried to log in as they've forced a password reset on my account and the email isn't coming through terribly fast, you would have thought the sql query they ran on the database to reset all passwords before 2006 could have incorporated an AND 'hasn't changed their password in the last 6 months'

[j.o.s.h.1408]

This is worrying.going to check mine soon

[rabbid]

Well I've heard nothing more since my last post on this subject. And there appears to be no more information in this thread. With only 25 people to update you would have thought more effort could have been made. I will be deleting my account and asking Scan to delete any information they hold on me, at least when I actually get the email that just got sent when I tried to log in as they've forced a password reset on my account and the email isn't coming through terribly fast, you would have thought the sql query they ran on the database to reset all passwords before 2006 could have incorporated an AND 'hasn't changed their password in the last 6 months'

Well, forced at least to whoever hasnt changed the password since the breach occured perhaps?

[Burnz]

I think we all understand that (see my first post in this thread) and we do appreciate your effort, what I absolutely aghast at is the complete lack of movement by the powers that be - a quick timeline check just illustrates how poorly managed this has been by SCAN management

• 5 years ago - Your systems were hacked - affected customers/public not made aware of this at all, but SCAN were aware at the time and of the details taken and I presume the security hole was fixed.
• 1 month ago - Because a customer decided to raise a query about spam in these forums we found out about what happened 5years ago (Im not calling this a cover up), but not the extent or the method.
• 2 weeks ago - SCAN actioned the forced password reset on potentially affected customers (think this was done by join date before the date of the hack) and had communicated directly to affected customers, you also advised the amount of customers affected, but nothing further other than a statement would be made in a timely manner.

As you can see we havent really moved on much and Im surprised by this, the main issue for 99% of people here is the lack of transparency, now is the time to provide us details and assurances how the hack has been fixed, so in reality we need to understand what actually happened and what was put in place to prevent this (and other simiiar treats) and when. Ultimately youve left at least 20-odd customers in the dark over a period of 5 year with their basic personal details in unauthorised hands.

So right now you have to understand the original event and the time its taken (and the fact it was a customer that raised this) any trust we had for yourselves as a company has gone completely, but it was always going to be easily regained if SCAN took charge of this as soon as it came to light and made us aware of the details of the intrusion itself, how many were affected (which you have done) and the protocols put in place to prevent this in future in a timely manner, its been a month and as far as Im concerned times up. This was so easily fixable where I feel most would have given yourselves the benefit of the doubt if you had shown visible action...

Once bitten, twice shy springs to mind...

And Chris P to reiterate Im not having a go at you, Im more frustrated that theyve left you to 'deal' with this, when in effect there are people within SCAN whose responsibility and job description it is to adequately deal with this - its disgusting that theyve put you in this position because as said above all you are is the messenger.

ps3ud0

I couldn't agree more. I signed up half an hour ago to ask a question about some speakers, and had no idea about any of this. I'm not going to start flapping about how loyal a customer I am because I'm sure I can speak for the majority of us, but I'm quite let down because we could of been notified somehow. I can understand that any company in this situation will be faced with a decision, and appreciate that exposing these things can affect credentials, but being open and honest gets further than keeping the whole thing under wraps.

Another worry for me is, we now have to input a mothers maiden name to login. Will this turn out to be another piece of information that can be added to the hackers logbook if it happens again? I mean don't get me wrong, I'm a reasonable guy and I don't like making mountains out of molehills. Sometimes your customers need to count on some reassurance, and at the expense of degrading the integrity of the entire rant - some BALLS.

[Chadders87]

5 Years ago? If you haven't changed your password since then I'd say you deserve to be hacked.

[rabbid]

5 Years ago? If you haven't changed your password since then I'd say you deserve to be hacked.

I dont think anyone deserves to be hacked, and in this case it wasn't originally the actual user being hacked it was scans system compromised/hacked giving away some users' details.