Importan! Email From The Gold Bullion Company

[Pipers]

I received this email this morning If anyone has a account with the Gold Bullion Company Please read and take appropriate action!!

 

Dear ------

 

 We are writing to notify you of an incident that has occurred relating to The Gold Bullion Company website. Our website – www.thegoldbullion.co.uk – has been the victim of a highly sophisticated fraud, which has resulted in some customer data being compromised. Protecting our customers’ data is the top priority for us, so we took the immediate decision to take our website and server systems offline while an independent IT forensic security company fully interrogated the website. This investigation has now taken place and we have made any recommended upgrades.

The incident was immediately reported to the police and is now the subject of an investigation by both West Midlands and Metropolitan Police Forces.

What has been compromised?
The data you use for your online account with us may have been compromised, including, first name and surname, email address, address and telephone number.

We would like to stress that the breach did not access any credit or debit card details – we do not hold these records on file.

What can I do?
As of Wednesday 8th July, the Gold Bullion Company website has been reactivated and we are advising all customers to log into their account via www.thegoldbullion.co.uk to change their passwords at their earliest convenience. As we may experience significant web traffic at this time, we would advise you keep trying until you are able to change your password.

If you use the same password for additional accounts not relating to The Gold Bullion Company, we would advise you consider changing these too.

We would like to reassure customers that security and the protection of customer data are of the utmost importance to The Gold Bullion Company, and we have sophisticated systems in place to ensure the highest level of protection.

We greatly value our customers’ support and loyalty, and completely understand that you may have some concerns. We have therefore set up a dedicated hotline and email address, should customers have any questions: 0121 523 1070 (office hours) / enquires@thegoldbullion.co.uk

We will keep you informed if there are any further updates.

Yours sincerely,

Paul Marcus

Managing Director, The Gold Bullion Company

[Danny-boy]

So it is true then.

I would have expected wider coverage of this to be honest.

[garthy]

The credit card details I can deal with but knowing they have our addresses is a bit concerning, I wonder if they got hold of the customers purchases as well, not good.

[Pipers]

I am not happy, it means there are some criminals who have hold of my details and know where I live.  These fraudsters will sell this information to who ever is the highest bidder and if that is some thugs who want to beat people up in there homes then the fraudsters are not worried.  

 

I will not buy from them again.  

 

Bullion Dealers must realise they are selling items that the customer does not want anyone to know they own and security and discretion is of high importance.    

[Danny-boy]

I have been reading around the web.

Apparently the details have already been offered to some bullion dealing competitors, and that the offer did include card / bank details.

How true that is, I don't know but I'd be taking precautions had I purchased from them in the past.

[silversword]

That is scary indeed. As Garthy says, the address is the scariest part for obvious reasons - and even if you dont keep anything at home, you still have to persuade a thug of this...

 

I consider myself lucky to not have bought anything from them, but it's a case of "there but for the grace of God". Hopefully other dealers take note and make sure their electronic and physical security is as tight as possible

[Fluttershy]

I`m worried for my business partner, everything always gets delivered to his house on my behalf, and he doesn`t have any of the silver there.

He`s got Kids too, so I think I`m going to have to take everything I bought from there to his place with orders of Not to be a hero just give it too them if anyone starts trouble!

[MikeOxlong]

^Buy him a silver sword . For every successful breakin he repels he gets an oz of the stack

In all seriousness though very poor

[HighlandTiger]

I purchased from then once more than a year ago. But I'm not worried in the slightest. The crooks haven't got any credit card details . no matter what the rumours say . And as for having people addresses well I'm afraid there are plenty of ways to get people's addresses and emails and believe me when I say you are already on a list held by some dodgy organisations

[Danny-boy]

The crooks haven't got any credit card details . no matter what the rumours say .

How can you be so sure?

And as for having people addresses well I'm afraid there are plenty of ways to get people's addresses and emails

And have a list of addresses linked solely to people who have purchased silver and gold?

[HighlandTiger]

I can be sure because the credit card details are paid through a third party. The security around these credit card clearing houses is as good as you are going to get. If companies like world pay. Sage pay etc have been compromised then the entire Web based retail industry has also been compromised. Credit card details are not submitted via the bullion website but through a security portal

[HighlandTiger]

Danny. Everyone one here who has sold anything to anyone else has a list of people who have purchased pms.

[Danny-boy]

Danny. Everyone one here who has sold anything to anyone else has a list of people who have purchased pms.

Not quite the same thing now is it?

[HawkHybrid]

credit cards are easy to cancel/will expire.

 

it's the addresses of receipt of pm's that people are

worried about.

 

 

Danny. Everyone one here who has sold anything to anyone else has a list of people who have purchased pms.

 

yes but you can get it delivered to your work address etc.

something which these companies refuse to allow. so you

end up supplying details as required by them, so that they

can be slack about it. I was considering at some point to

recommend them as their service was good.

 

HH

[HighlandTiger]

Ah yes delivered to your work address. It is not hard to find out your home address once you know the persons name and the place they work. With the help of the works website, facebook/ twitter and 192.com I could probably find out were you live within half an hour. Once you know where to look (and I learnt a lot about finding people from researching family trees) , you would be surprised just how much info about you there is online. I could even find your birth certificate and marriage details just for good measure.

[HelpingHands]

I wonder if there will be a spike in fake gold buying on ebay for decoys.

I guess the problem with that is it doesnt look great on your feedback. If youre selling bullion then you may not want to be seen buying fakes.

[HighlandTiger]

I wonder if there will be a spike in fake gold buying on ebay for decoys.

I guess the problem with that is it doesnt look great on your feedback. If youre selling bullion then you may not want to be seen buying fakes.

 

You could always  email the seller direct, off the books so to speak. The one thing about these sellers, they always have plenty of "stock" 

[Paul]

Whilst it is bad this has happened and a worry.  

 

This is part of the nature of the beast of not just precious metals but life in general.  Your personal info is on offer at every stage of life

 

Each and every turn in life your data and info can be nabbed anywhere by anybody.

 

Looking back at my early jobs in life, my first was during uni was working for an outsourcing firm on behalf of Northern Rock at age 20 taking folks info who were interested in their market leading savers account back then

I remember speaking with people who said they had upwards of £3million ready to invest and they are giving home address and telephone info out willy-nilly over the phone and very brash in saying so & how much they had.  These people thought they were calling northern rock, they weren't.

 

My job out of uni was for orange call centre where i had access to addresses, mothers maidens names, passwords, bank account numbers, credit and debit cards, full call record details for the entire length of their contracts, had the ability to re-route remotely folks calls to desired numbered. ability to block & bar phones at will, ability to blacklist IMEI data and lift it.  

 

In contract connections I registered several reasonably famous peoples contract phones Liam Gallaghers via Creation Music, Johnny Wilkinsons, The Harry Potter cast, Jude Law and Kate Beckinsale.  Useless info to me bar the novelty value but info and access to this info would be very useful to some people 

 

I worked on the collections queue team, who had a fellow employee thought it was funny to send a text message reminder to Tony Blairs own phone to say his bill was late, although it did lead to his disciplinary and termination  

 

YOUR DATA IS EVERYWHERE !

 

So aside from my working life 

For someone looking to get info on bullion buyers UK wide no easier way would be for them to do ANY of the following

1.  Take a job within any leading bullion firm/dealer and harvest and data mine everything you can for you needs

2. Purchase bullion from the cheapest sources and re-sell via eBay.  Each and every sale is a lead & stacker

3.  (although i hope it has not happened) register to any precious metals forums, become part of community, build reputation, buyer items, sell items.

4.  Route out the vulnerabilities of their web site and hack it as has happened in the case of goldbullionco

 

Doing just do one deal with SOMEONE is showing you have an interest in PMs .  

 

You buy x1 sov from a meber forum, who knows you dont have x100 more indoors ?

 

You buy x100 sovereigns from a bullion dealer and you are seen as a large fish and worth pursuing by the staff member parcelling up your order?

 

You buy x10 sovereigns from a coin fair you are worth mugging on the way home by an eagle eyed fellow collector ? 

 

You make a big transfer from bank account to bullion dealer and is picked up by a corrupt dude in the bank security dept who idenitfys you stack and passes the info to his contact outside

 

Holding £100,000 in the bank you could be just as open to scam or cold call or an attempt of ID fraud being taken against you 

 

Anything is possible in this day and age.  As with anything a sprinkling of common sense  

 

• Dont buy just from one source
• Dont buy in bulk from one place
• Spread your purchases over time
• Purchase from coin fairs in cash 
• Buy in cash locally 
• Buy using your credit card from European dealers (a keen data theif will then have to take a plane or ferry to rob you) 
• Buy using transfer wise or similar 
• Purchase from pawnbrokers or jewllery stores
• Sometimes use surrogate addresses like parents/siblings or works address for delivery
• Set up a MBE or PO box for delivery of packages
• Use paypal for payment
• Buy from eBay 
• Buy from different people on eBay
• Use collect in person from Argos option within eBay for delivery (no home address exposure then) 
• Source out eBay deals locally using postcode search offering bullion and go to them and collect and pay in cash 

 

Whilst none of these make you bullet proof to info breaches it certainly spreads your risk a darn sight more than buying everything from one single dealer that may or may not goes tits up with their info and leave you open exposed and vulnerable to the data miner culprits 

[Fluttershy]

 and believe me when I say you are already on a list held by some dodgy organisations

 

True, I have to declair my silver purchases in my Tax return as I run a Jewellery business on the books as well now, but I`m not too worried about he tories knowing that.

 

I am in two minds however if the purchase of 3Kg of silver grain is a good or bad thing for the Other criminals to know about though?

Yes it`ll be hard to fence, but it also says Jewellery at the same time!

[Bumble]

I agree with what Paul says above. Your data is not as secure as you think. I worked in information security for many years and I know from experience that companies hate spending money on security; they see it as a waste because there is no return on investment. They would rather do the minimum needed to get a tick in the compliance check box. Or they think that becaue they have outsourced their IT, the outsourcing company will do a good job on the security, when in fact the outsourcing company will do just the same: they'll spend the minimum they can get away with. And even if the systems are very secure, nearly all systems provide full access to the computer system administrators: do you think there is no administrator in the company who is not susceptible to being bribed or threatened by a criminal gang? It only takes one.

When I used to purchase computer services on behalf of my employer I would make a point of asking to see detailed specifications of the security features. I would ask the supplier if they had used a third party penetration tester to test their security and if so whether I could have a copy of the results. I would ask what standards they had been audited against, and who had performed the audits. On at least one occasion I even performed my own tests, with their permission. But when you are just a customer on a retail website, this is hardly feasible. The chances are suppliers don't realise how vulnerable they are nor what lengths criminals are willing to go to. There are scores of examples of even big name companies being hacked and exposing client information.

In addition to Paul's advice, I would add:
* When you fill in registration information on websites that is designed to allow a password reset, don't provide genuine information. If there are questions like mother's maiden name, or the name of your first pet, first school, or whatever, just make something up and keep a record of it. All of that information could be found out by someone researching you, so it is not secure to use genuine information. I don't even use my real date of birth unless it is for some official site like the government tax portal.
* Use long passwords, or use password management software. Use different passwords on all sites.
* Check your credit records and score periodically so you'll know if someone is trying to open an account or get a credit card in your name.
* When you are about to make a payment or log into your bank, check and double check the URL, and be sure it is exactly what it should be. If you get a warning about a bad certificate, don't ignore it.
* Make sure your operating system is fully patched and up to date. Ditto, stuff like Java client, Flash, Adobe Reader, Winzip, etc. All of those have a long history of nasty vulnerabilities.
* Don't download software from dodgy sites. If you like to experiment, use a sandbox program, such as Sandboxie.
* If you are using Firefox, install the Noscript plug-in. It is one of the most useful pieces of security software around and it's free. It will annoy you for a few days because it blocks all active content by default, but once you have tuned it to accept the sites you trust, it is golden.
 

[Kman]

I got this email, I bought from them over a year ago I think, the card I used I've had replaced in the meantime

 

Do you think this has something to do with why their site was down not long ago? when was that? how long have they known.. 

[AuFinger]

Scary stuff here if you buy PM and deliver it home!

Makes you think about all these web shops and their records, vs just buying it cash at a shop!

[Goldtrader]

On 08/07/2015 at 19:25, Paul said:

Whilst it is bad this has happened and a worry.  

 

This is part of the nature of the beast of not just precious metals but life in general.  Your personal info is on offer at every stage of life

 

Each and every turn in life your data and info can be nabbed anywhere by anybody.

 

Looking back at my early jobs in life, my first was during uni was working for an outsourcing firm on behalf of Northern Rock at age 20 taking folks info who were interested in their market leading savers account back then

I remember speaking with people who said they had upwards of £3million ready to invest and they are giving home address and telephone info out willy-nilly over the phone and very brash in saying so & how much they had.  These people thought they were calling northern rock, they weren't.

 

My job out of uni was for orange call centre where i had access to addresses, mothers maidens names, passwords, bank account numbers, credit and debit cards, full call record details for the entire length of their contracts, had the ability to re-route remotely folks calls to desired numbered. ability to block & bar phones at will, ability to blacklist IMEI data and lift it.  

 

In contract connections I registered several reasonably famous peoples contract phones Liam Gallaghers via Creation Music, Johnny Wilkinsons, The Harry Potter cast, Jude Law and Kate Beckinsale.  Useless info to me bar the novelty value but info and access to this info would be very useful to some people 

 

I worked on the collections queue team, who had a fellow employee thought it was funny to send a text message reminder to Tony Blairs own phone to say his bill was late, although it did lead to his disciplinary and termination  

 

YOUR DATA IS EVERYWHERE !

 

So aside from my working life 

For someone looking to get info on bullion buyers UK wide no easier way would be for them to do ANY of the following

1.  Take a job within any leading bullion firm/dealer and harvest and data mine everything you can for you needs

2. Purchase bullion from the cheapest sources and re-sell via eBay.  Each and every sale is a lead & stacker

3.  (although i hope it has not happened) register to any precious metals forums, become part of community, build reputation, buyer items, sell items.

4.  Route out the vulnerabilities of their web site and hack it as has happened in the case of goldbullionco

 

Doing just do one deal with SOMEONE is showing you have an interest in PMs .  

 

You buy x1 sov from a meber forum, who knows you dont have x100 more indoors ?

 

You buy x100 sovereigns from a bullion dealer and you are seen as a large fish and worth pursuing by the staff member parcelling up your order?

 

You buy x10 sovereigns from a coin fair you are worth mugging on the way home by an eagle eyed fellow collector ? 

 

You make a big transfer from bank account to bullion dealer and is picked up by a corrupt dude in the bank security dept who idenitfys you stack and passes the info to his contact outside

 

Holding £100,000 in the bank you could be just as open to scam or cold call or an attempt of ID fraud being taken against you 

 

Anything is possible in this day and age.  As with anything a sprinkling of common sense  

 

• Dont buy just from one source
• Dont buy in bulk from one place
• Spread your purchases over time
• Purchase from coin fairs in cash 
• Buy in cash locally 
• Buy using your credit card from European dealers (a keen data theif will then have to take a plane or ferry to rob you) 
• Buy using transfer wise or similar 
• Purchase from pawnbrokers or jewllery stores
• Sometimes use surrogate addresses like parents/siblings or works address for delivery
• Set up a MBE or PO box for delivery of packages
• Use paypal for payment
• Buy from eBay 
• Buy from different people on eBay
• Use collect in person from Argos option within eBay for delivery (no home address exposure then) 
• Source out eBay deals locally using postcode search offering bullion and go to them and collect and pay in cash 

 

Whilst none of these make you bullet proof to info breaches it certainly spreads your risk a darn sight more than buying everything from one single dealer that may or may not goes tits up with their info and leave you open exposed and vulnerable to 

[Pipers]

He will be out in 2 1/2 years to do it again, or pursue his list.

[Kman]

http://www.standard.co.uk/news/london/canary-wharf-computer-hacker-jailed-for-stealing-thousands-of-pounds-in-gold-a3343241.html

Judging from his pic uou would think he would be too busy fighting off the ladies