Online retailer working "round the clock" to investigate...

Chain Reaction Cycles have today acknowledged that some of their customers have become victims of what appears to be systematic credit card fraud, though at this stage the precise nature or even the existence of any possible breach of the company’s online security has yet to be confirmed.

Online forums, including our own, have carried anecdotal evidence of fraudulent activity on the bank accounts of people who have recently purchased goods from Chain Reaction, and the company has confirmed that it is carrying out an urgent investigation into the matter. It has enlisted the services of a specialist internet security company to help with the investigation.

Some of the fraudulent transactions have been for relatively minor sums of up to £30, usually, it seems, to pay for mobile phone top ups, but it appears that others victims have seen their accounts debited for considerably larger amounts.

If there is evidence of a range of fraudulent uses of card details it could indicate that either Chain Reaction's own security has been breached, or that of the credit card gateway that processes card payment, or of the link between the two. Card information might then be being sold on to a variety of criminals who are targeting individual victim’s bank accounts in different ways.

Alternatively it may be that an individual or single gang is testing individual accounts with relatively innocuous-looking transactions which may go unnoticed before attempting to make much larger purchases on the compromised cards.

Chain Reaction has responded to media enquiries with a carefully worded Q&A statement emailed to road.cc and posted on the Singletrackworld forum from senior manager Michael Cowan which says:

What do we know?
We know that some of our customers have experienced credit card fraud after placing an order with CRC.

When did we find out?
Senior staff in CRC where alerted to forum comments on Sunday 6th of March. We immediately began our investigations enabling to release information via community forums on Wednesday the 9th, acknowledging that we were actively investigating the situation.

How big is the problem?
So far, we have been contacted by customers who purchased in February and the beginning of March. The contacts we have had both directly and via forums equates to under 0.1% of on-line orders placed In that same time period. However, we understand that for those effected this is of great concern and as we take our customer's security extremely seriously we are taking all the steps we can to understand what has happened.

What steps have we taken?
CRC have employed one of the UKs leading internet security companies to carry out immediate and full forensic investigation into CRCs infrastructure. This investigation has so far uncovered no evidence of any breach. We are also fully engaged with our card processing companies and the card schemes. This investigation is still underway.

Card Re-issues
Purely as a precaution, Card Issuers may make the decision to reissue new cards to recent CRC customers. If your card is reissued it does not mean that your details have been compromised but the banks take an ultra cautious view on this as the cost of re-issuing a card is much smaller than resolving any potential issue in the future.

When will CRC have more information?
We are working round the clock to get an understanding of what has happened; as we get greater understanding we will continue to keep you up to date and intend to issue a further updates over the next week or so.

Can you order safely?
So far the investigation has uncovered no evidence of any breach but if you want to order on CRC without CRC being in contact with your credit card details then choose Pay by PayPal and checkout using your credit card via the PayPal express checkout.

Please contact us directly
We want people who have been directly affected to contact us so we can personally update you by email. Please contact us on +44 (0)2893343758 between 9am – 5.30pm or emailenquiries [at] chainreactioncycles.com and we will be glad to help you.”

road.cc has placed calls to the company and we will update you once we have more information.



David cycling t... [64 posts] 6 years ago

Good. I've just asked around family. Both my dad and his mate purchased stuff last month and both found someone charged the £30 of O2 Top ups to the both of them.

wez [43 posts] 6 years ago

I had the same thing happen to me, £15 of O2 top ups. The first I knew about it was when the bank rang me to clarify the tansaction, ended up with a new card.

jengy [72 posts] 6 years ago

yep, me too - O2 as well....

scubajonny [16 posts] 6 years ago

Two recent transactions with CRC; both followed a week or so later with calls from my bank reporting unusual behaviour on cards. Payments to Netflix in my case. Never made the link as I shop online a fair bit; will make me think again about using them for a while..

PJ McNally [591 posts] 6 years ago
scubajonny wrote:

will make me think again about using them for a while..

I had a bogus charge on my credit card, too. But I now have a new card, and CRC are working to find out what went wrong - so they're likely to be one of the safer places to use your card for a while!

(I don't work for CRC - I just think they're a great company).

don_don [149 posts] 6 years ago

Freaky.. I also had 2x £15 O2 top-ups on my card, about a month after some CRC purchases. However, this was also about a week after a purchase on Wiggle, who have also had some forum chat about the same thing in the past.

I had assumed Wiggle might be the source of the leak, since they retain your card number on their system. However, it now seems its not that simple!

0liver [90 posts] 6 years ago

Just rang them and let them know what had happened to me. Nice and friendly and looking for more stories so they had a good view of the whole problem. So if you were affected then let them know!

rokapotamus [23 posts] 6 years ago