Fears over card detail thefts after Active security breach

BBC Cardiff Half MarathonBBC
Competitors of events such as the Cardiff Half Marathon had their payments processed via Active

Credit card details may have been stolen from marathon runners and endurance athletes after a security breach in a payment system.

Active Network is used by a number of events including Velothon Wales, the Cardiff Half Marathon and Ironman Wales to process registrations and payments.

It said details were accessed between December 2016 and September 2017

Active, an American firm used by endurance events organisers worldwide, has been asked to comment.

With hundreds of international events and thousands of participants the numbers affected are not yet known.

The firm has contacted some affected race-goers and also notified the Information Commissioner's Office.

In a letter sent to victims of the data breach and seen by BBC Wales, Active said it recently became aware of suspicious activity on one of their systems - with transactions between December 2016 and September 2017 affected.

The letter states: "During this period, personal information that you provided during the check-out process may have been accessed by unauthorised third parties."

Angela Champion
Angela Champion says some members of her running club lost "hundreds of pounds"

Angela Champion, from Cardiff, said she noticed her card had been used to pay for an Uber shortly after paying for her entry to the 2018 Newport Marathon.

She cancelled her card with her bank, but two more "substantial" transactions were made.

She submitted a subject access request to Active, who wrote back to tell her they did have her personal information, but it was all stored securely.

However, on Monday, she received an email acknowledging there had been a data breach.

She said other members of her running club had lost "hundreds of pounds" and not received a letter acknowledging the breach.

Personal data "sold on the dark web"

Ben Sweet, 28, from Bristol, said about £1,200 worth of fraudulent activity was carried out on his card after he booked to run this year's Cardiff Half Marathon with his wife Liz.

He said: "They [Active] could have dealt with it a lot better by saying 'we're aware, we're investigating', but they were very dismissive and said we've not got a problem."

The breach is not limited to events in the UK, Active has also contacted a State Attorney General in the US about similar breaches.

Run for Wales Chief Executive, Matt Newman said: "We are working with Active at the moment to understand the full implications. So far we have been contacted by three customers out of 103,000 and are unsure how many more have been affected at this stage."

Ironman Wales said it was working with Active to ensure it had "implemented remediation measures that will prevent a recurrence of this type of issue".

In December, a German broadcaster reported that credit cards of people who registered through Active for a cycling event in Hamburg had their details stolen.