Data Notification FAQ
What: Breach of payment card data submitted to us through orders placed by phone or online through www.backcountrygear.com between Oct 11th and Oct 17th, 2014.
When: We became aware of the breach on Oct 17rd, 2014 and immediately ensured that the malware (malicious computer code) had been removed from the server. As referenced above, the breach affected orders that were placed between Oct 11th and Oct 17th.
Content that was breached: Customer names, billing and shipping addresses, email address, Backcountrygear.com account password, purchase information, credit card or debit card numbers and expiration date. Since we do not use or collect debit or credit card PINs or bank account numbers in our transactions, none of this data would have been present in a transaction and would not have been affected by the breach.
Issues for customers: It is possible that credit and debit cards used on our site between Oct 11th and Oct 17th were subsequently used without the account holder’s authorization.
Status of site now: Fully secure. The backdoor that allowed the code to be installed was identified and secured. Our Server IT professionals have removed the malware and quarantined affected files. They are performing hourly scans and have seen no evidence of reoccurrence.
How this happened: A hacker remotely attacked the server and inserted sophisticated malware that skimmed information as it was entered on the shopping cart. This was not a breach of a database. Backcountry Gear does not store credit card information in any form in a database. This is why orders placed before Oct 11th and after Oct 17th 2014 were not affected. This breach was completely unanticipated because our IT professionals carefully adhere to known information security guidelines and practices protecting the webserver from viruses and malware.
What to do: If the credit or debit card used in Backcountry Gear transactions between Oct 11th and Oct 17th has not yet been replaced, you should contact your card issuer, inform them of the data breach, and request a new card. We also encourage you to change the password to the account you hold with us. How to change your account password.
We also encourage you to closely monitor your financial accounts and promptly contact your financial institution should you notice any unauthorized activity. You may also obtain a copy of your credit report at www.annualcreditreport.com or 877-322-8228. You may also request information on how to place a fraud alert or security freeze by contacting any of the national credit bureaus referenced below. It is recommended that you remain vigilant for any incidents of fraud or identity theft by reviewing credit card account statements and your credit report for unauthorized activity.
Equifax Experian TransUnion
P.O. Box 740241 P.O. Box 2104 P.O. Box 2000
Atlanta, GA 30374 Allen, TX 75013 Chester, PA 19022
www.equifax.com www.experian.com www.transunion.com
800-349-9960 888-397-3742 800-909-8872
I placed my order using Paypal: We encourage you to change the password to the account you hold with us. How to change your account password. If you use the same password for your PayPal account you should change that password.
For more information: Please contact our help line at 800-953-5499 ext. 5.