Credit card details from runners potentially at risk in a security breach

Active, an American firm used by event organisers worldwide has revealed personal information of thousands of runners and endurance athletes may have been stolen in a security breach.

The site can be used to sign up to popular races all over the country, including the Brighton Marathon, the Royal Parks Half Marathon, the Cardiff Half Marathon and the Newport Marathon. With hundreds of runners potentially affected, the full effects are not yet known.

In an email to some of the affected race-goers, who used the site to enter events between December 2016 and September 2017, the company explains “during this time period, personal information that you provided as part of the checkout process may have been accessed by unauthorised third parties”. The company have also notified the Information Commissioner’s Office.

This personal information includes the names, addresses, email address, credit or debit card number, expiration date and cardholder verification code of the runners.

Runner’s World were first alerted on Twitter, where runners reached out to share their anger and distress at the situation. We later spoke to Angela Champion, who first noticed her card had been hacked when it was used for three different Uber transactions, the largest being for a £160 journey in December 2017.

At the time, Angela said didn’t put two and two together, but after speaking to various members of her running group who had also run the Newport Marathon, she started to think this was more than just an unlucky coincidence. “It would just have been too unlucky that we’d all had our cards hacked in the same John Lewis or Tesco when Christmas shopping, the connection to all of us was Active.com” she told Runner’s World this week.

After realising the connection, Angela sent a Subject Access Request document to Active.com in December 2017 – a document that allows individuals to see a copy of the information an organisation holds about them. Angela told us she received a generic response back from Active, saying her data was protected on their servers. On Monday 19th March 2018, Angela received the email shown above from Active, explaining her data may have been at risk.

Another runner, Darren Smith told us he had three laptops bought on his card after he’d used Active to sign up for a race; “It was a new card and I hadn’t used it much, if at all.” Despite raising this with Active, Darren didn’t receive the email sent earlier this week acknowledging the breach.

Many runners have joined the Facebook group ‘Boycott Active.com’ to share their stories and experiences. Others are urging race organisers to use other event companies for their races in the future.

As yet, Active are yet to respond to our enquires.

Have you been affected by the Active Network potential security breach? Join the conversation on Facebook or Twitter

Looking for your next race? Check out our race listings