Cyber Incident Victim: Boomerang Rentals

On January 12, 2015, video game rental company Boomerang Rentals shut down its websites, displaying a "down for maintenance" message beginning Sunday, January 11. This action followed multiple customer reports of fraudulent credit card transactions linked to Boomerang accounts, documented in a Reddit thread. Customers described unauthorized charges occurring after using Boomerang’s services, though no direct evidence of a breach was initially confirmed. The company acknowledged investigating "approximately 30 people" who reported fraudulent transaction attempts tied to their membership, while explicitly avoiding confirmation of any security compromise. Boomerang issued an official statement on January 12 emphasizing that payment processors Sagepay and WorldPay had not detected anomalies, but committed to a full investigation expected to take several days. Customers were advised to contact their card issuers regarding suspicious activity, reflecting precautionary measures rather than confirmed exposure.

The incident drew attention from media outlets including The Register, which attempted to contact Boomerang via its published support number but received no response beyond voicemail. Public concern escalated as users like Derek formally reported the matter to the UK’s Information Commissioner’s Office, though regulatory involvement remained unconfirmed in available reports. Boomerang maintained operational silence beyond its initial statement, leaving the scope of potential data exposure—including whether credit card details, names, or other information were accessed—undisclosed. No technical details regarding attack vectors, intrusion methods, or system vulnerabilities were released. The company’s public communications focused exclusively on addressing fraud reports while avoiding acknowledgment of infrastructure compromise, leaving the incident’s root cause and full impact unresolved in the immediate aftermath.