[Closed] SUPERSTAR WARNING!!! SUPERSTAR WARNING! PLEASE READ!!!!!!!

No problems at all here. Just ordered a chain guide. Oh and for the record Superstar have always been super-quick to reply to any email queries.

+1 here for Superstar.

Looking forward to receiving someones dropper-post soon. 😀

I have never ordered anything from Superstar or even logged into the Superstar website.
My bargain dropper seatpost has still not arrived, who do I complain to?
How can they let this happen??

Just logged in and got someones details and order history here 😕
Think i,ll leave that one until tomorrow.

I hope somebody (especially those claiming to know the guys) have given them a call and told them that their website is spewing customers details out all over the place and needs to be taken off line before they get in trouble.
From their Facebook 3hrs ago

Superstar Components Hello the office closes at 5pm so you won't get through. I've checked the site on several computers and cannot find an error. It looks like the server had a glitch and spat out the wrong session to a few people due to hundreds of people logging on for the special offer at exactly the same time.

We apologise for any confusion and can confirm that nobody can charge you or order things on your behalf because all our payments are handled offsite by PayPal.

I'll check up on this tomorrow as I can find any issues currently

I'm Luke B *waves*

Are you the emo kid who was on here all the time years back? Along with 'Big Mike AKA Mike' who I believe was another kid with hormone problems who also spent too much time on the Internet?
I did wonder if they turned into normal people after those tumultuous teenage years?
And was it you who got your friend to sign up even though she didn't own a mountainbike? Her name was louisa bliggy?

Apolagies if I have the wrong LukeB.

When this happened on the gamestation website they started giving out £100 vouchers to people reporting it. They can get in a lot of trouble

ANDYRM

and believe me, those details simply are not in the hands of an online retailer.

is that correct?

i thought about 99% true - all retailers use a merchant to process credit card transactions and smaller retailers are simply linking you to the merchant (paypal, nochex, hsbc etc) website where the transaction is processed and then the merchant site flags back to the retailer saite that the transaction has happened - thats why most small retailers take payment at time of order

large retailers offer you the convenience of storing credit card details (some infamously some not) eg Amazon, CRC, Wiggle, NEXT = my understanding is that this info is directly stored by the retailer - albeit the systems set up has to meet the merchants security criteria - gives customer convenience and billing when that back order item eventually turns up

oh yes the thread title is OTT, the explanation of what info was being displayed too vague to start with

Yep - effectively what happens is the website transfers you to the Paypal "till" with a note saying how much you owe. You pay this to Paypal. Paypal confirm to retailer you have paid, and return you to retailer website, with the retailer never seeing the card info at all.

Revenues are then instantly in the retailer's Paypal account, less Paypal's commission.

Believe me, Paypal security is super tight. And by it being like this, the odds of a CRC style hack of stored cards is much lower as the retailer never had them.

Yep It's expected that no CC details were let out but names address and phone numbers along with order history, ie failure of the log in process should have been sorted out when they knew about it not leaving it till the morning to sort out.

I agree. That could have at least been worded better ''will look into this asap' even if you meant secretly you werent til first thing.

and believe me, those details simply are not in the hands of an online retailer.

is that correct?

Believe me, Paypal security is super tight. And by it being like this, the odds of a CRC style hack of stored cards is much lower as the retailer never had them.

don't really understand answer - yes I believe Paypal security is very good - and that SSC use Paypal to process transactions so they fall in the 99% of "smaller" businesses that never hold card data

but i'm not sure on "the never in the hands of a retailer" - i believe this isn't the case for some large retailers - the data may not be readily accessed by employees but sits on the retailer side

Are you the emo kid who was on here all the time years back? Along with 'Big Mike AKA Mike' who I believe was another kid with hormone problems who also spent too much time on the Internet?
I did wonder if they turned into normal people after those tumultuous teenage years?
And was it you who got your friend to sign up even though she didn't own a mountainbike? Her name was louisa bliggy?

*waves*

I turned out as reasonable as could be expected.

And I'm just [i]a[/i] Luke B, not [i]the[/i] Luke B.

it is a classic case of blowing something out of proportion.

= classic case of pot calling kettle...

I would join in but I've just dislocated my jaw with yawning... 😯

What you doing typing with your jaw.......confubulator lessons for you I'm afraid! 😉

http://www.backupdirect.net/data-protection-act-summary

As my dad found out recently all that the scum out there need is a name, address and telephone number to aquire a mobile phone from Vodafone. Took 4mth to sort that out with a visit from the debt collectors threatened!!

So although it might not look serious it is 😯

However whether it be human nature, mechanical or digital incidents like this will always crop up 🙄

If card data is held, merchants generally comply with the standards laid down in the PCI DSS (Google it). Compliance is verified via internal and external audit during test/deployment.

In this case the card data will be held by PayPal who will be fully PCI compliant. I wouldn't get too excited though, some of the PCI compliant systems I've seen haven't been very clever at all.....

As for sharing confidential data (name, address etc), this may fall under the data protection act and if I were Fruit, I'd be very concerned about contravening that as porridge and/or massive fine are likely outcomes.

What boblo says. Mrs T is awaiting the outcome of an investigation at her place of work 😐

He does seem to have changed his tone a bit on Facebook. As boblo said - his biggest worry is going to be if there's any subsequent data protection fallout for him.

I do find it odd - if CRC/Wiggle/etc were spraying random peoples names addresses and order details out to all and sundry I suspect there'd be less 'he's a nice chap, let's keep it quiet and let him sort out in his own time' type responses.

After their facebook was quiet about it I posted a link to this thread, he nicely deleted it this morning.

In all seriousness the sensible thing would have been to pull the plug and put a holding page up till you worked out what was going on. Especially given the Data Protection aspects which are very serious. But I guess if you were trying to get shot of a load of KS posts super quick....

In case anyone is counting, what treckster said about name, address & number happened to me. It killed off my existing mobile when I was far from home. It was then not easy to sort.

I think the lynch mob need to settle down now. SS have posted on their FB that they are investigating.

Wait till the outcome of that and establishment of facts as to what happened and corrective measures in place.

Tech outages are always going to happen - and given the STW IT worker demographic, I'm sure you all know that.

[i]establishment of facts as to what happened[/i]

the [b]*facts*[/b] are that I saw several other peoples personal details and mine were viewed by other people.

'outages' are where systems goes down, not when sessions and baskets are randomly assigned to users who are nothing to do with them.

You're not from around here are you boy.

That's not how things happen in these here parts.

wwaswas - our definition of 'outage' at my work is any systems failure. Please accept my humblest apologies for using a different word to your first choice, but you know what I mean 🙂

I like superstar gear and will continue to buy it despite idiotic threads like this one.

the issue is you still seem to be questioning what the 'facts' were when there been a lot of people reporting the same breach of data protection laws across a 5 or 6 hour period.

I think the lynch mob need to settle down now. SS have posted on their FB that they are investigating.

Unlike last night when they said sorry we have gone home and wait till the morning while our website continues shares your details with random strangers.

Websites spewing info out to random people which potentially may have exposed a gaping hole in our security set-up is generally one of those when you sort it out rather than go home.

Tech outages are always going to happen - and given the STW IT worker demographic, I'm sure you all know that.

From a tech/it perspective it's more of a **** up than an outage.

Not sure why you're fixating so much wwaswas - it's been stated on their FB that they are investigating. Sometimes things go wrong. They are investigating with a view to a fix. End of story. Move on.

as porridge and/or massive fine

Half right - unlimited fines, not prison for accidental breaches, even if blatant negligence is the cause.

We've had a ICO investigation after andaccidental DPA breach, it'll likely come down to what was in place and how seriously the protection of data was taken:

If they had tried to do things right, had policies in place and processes that should have kept private data private, but something went wrong with them, probably nowt to worry about assuming that the issue is dealt with promptly and capably.

If they had never given a thought to security of private data, had nothing in place to protect it, no policies or person taking responsibility then problems aplenty from the ICO...

For the ICO to even take it half seriously though, there would have to be evidence that the breach was likely to cause harm (including distress) to the subjects whose data leaked, it's not necessarily meeting that threshold just from another cyclist getting a fleeting glimpse at your shopping basket tbh

Not sure why you're fixating so much wwaswas

Hmmm. The words kettle, pot and black spring to mind. Do you really have no connection with Superstar?

[i]Not sure why you're fixating so much wwaswas[/i]

I'm equally not sure why you're insisting on posting on and trying to police a thread about an event that didn't involve you and for which your sole criteria seems to be 'I rode with him once and he seemed like a nice bloke'?

Random strangers were presented with my personal details. I feel that saying 'maybe just buggering off home and ignoring the problem was inappropriate' is a reasonable stance to take.

I also note that they are still accepting orders and allowing people to use the site despite now knowing that they are breaching data protection laws. That's not an 'outage' that's illegal.

Anyway, perhaps you should move along and let those of us who might feel aggreived at the approach taken to our personal data air our views?

Not sure why you're fixating so much wwaswas - it's been stated on their FB that they are investigating. Sometimes things go wrong. They are investigating with a view to a fix. End of story. Move on.

Normally when people (I) say that they are (I am) investigating the issue it means I'm still having my breakfast and until I make a second pot of tea would you leave me alone. It could also mean I have no idea how this ****ed up or what has actually happened and pass me another tea and some hob nobs while I make it look like someone elses fault

I was on their website yesterday buying some pads at around lunchtime without a problem. You have obviously had an issue (which in my opinion is a minor one) and have chosen to use that to try and damage someone's business for some reason.

Your headline is ridiculously out of proportion and your ongoing comments seem a bit tinfoil hat if you ask me. I can get your name and address out of the phone book.

I just logged in and there is no problem.

edlong - Member
For the ICO to even take it half seriously though, there would have to be evidence that the breach was likely to cause harm (including distress) to the subjects whose data leaked, it's not necessarily meeting that threshold just from another cyclist getting a fleeting glimpse at your shopping basket tbh

But this isn't shopping basket data is it? It's personal data (names, addresses, phone numbers). The fault was found yesterday at 16:00? and the site is still up. 'Normally' the site would be taken offline and a maintenance page put up whilst its sorted. That would be regarded as reasonable action. Ignoring it and continuing to trade is not.

Grum - absolutely not mate, I just hate seeing these kind of lynchings, especially when a lot of the thread content seems to be driven by an old grudge for what some perceive to have been a slight against STW some time back. I might be accused of being a bit of a devil's advocate in this thread perhaps - but just presenting a point of view that I hold, given I work in an industry that has to be on the receiving end of customer's online complaints, and having seen people getting disproportionately upset.

Oh and I just put an order through, so if anyone sees my details pop up for 2 x 4 packs of Kevlar pads (one bundle for Saint/Zee and one bundle for Avid), a Flatland 780 bar and a 183-203 F brake adaptor going to Bristol, that's me. Oh and the address is for my office in case any of you are burglars hoping to rob all my bikes! 😉

Anyway, perhaps you should move along and let those of us who might feel aggreived at the approach taken to our personal data air our views?

We're going to have to disagree here. I'm not for one second saying you are wrong for being aggrieved. I am however saying that some of the responses on this thread do seem disproportionately emotionally loaded and worried. I'd expect someone to be able to accept (as I do) that there might be another point of view than my own. Just saying.

[i]I'd expect someone to be able to accept (as I do) that there might be another point of view than my own[/i]

but you still type;

[i]End of story. Move on. [/i]

as if your view is the only valid one.

tbh, I am a bit pee'd off that other people saw my details but I'm not overly concerned about it as a one off event. I was probably as annoyed by the OP putting my name in the thread.

I am concerned that there may be security issues with his software beyond what we've seen that would allow a more directed attack deliver significant quantities of personal data to those chosing to do it.

I don't feel I've been over emotional or disproportionally upset but, equally, I'm not just going to stop posting on a thread because someone unconnected with the business says 'they've made a statement on facebook so it's all over now'

If those who feel this thread is too much stopped posting I suspect discussion would die down and it woudl drift off the front page.

why does andyrm refer to him/herself in the third person?

SSC have history and its not glorious

this thread was best summed up by "i once vowed never to use them again but got sucked in by a bargain"

andyrim - take heart, the bargain basement marketing ploy worked. suggest you add the IT systems to the long list of stuff needing fixed.

It seems to me that user session data is getting "leaked" to other users (as mikewsmith mentioned), not sure how that'd happened unless it's cache related which would be backed up by cheap dropper posts = higher load and has actually been a bug all along but only now been detected.

IMO the site should have been taken down when the bug was reported by multiple users and stayed down until fixed. If I'm correct then I'm not actually sure what else superstar could have done as it'll be a bug in software, they certainly should have knocked the site down though.

FWIW I've just ordered a pair of grips from then anyway...

why does andyrm refer to him/herself in the third person?

SSC have history and its not glorious

this thread was best summed up by "i once vowed never to use them again but got sucked in by a bargain"

andyrim - take heart, the bargain basement marketing ploy worked. suggest you add the IT systems to the long list of stuff needing fixed.

soobalias - I suggest you speak to Drain off here (link to his profile: http://singletrackworld.com/forum/profile/drain ) who I am sure will be happy to confirm that when he met me in person at Bristol Temple Meads to pick up some brakes, I was me, not Neil from Superstar, and that the payment details he used to pay me for the Maguras were in my name, not someone elses. Good attempt though, but next time, try and make accusations that are factually correct 🙂

But this isn't shopping basket data is it? It's personal data (names, addresses, phone numbers). The fault was found yesterday at 16:00? and the site is still up. 'Normally' the site would be taken offline and a maintenance page put up whilst its sorted. That would be regarded as reasonable action. Ignoring it and continuing to trade is not.

Names and addresses are not sensitive personal information. In fact, the ICO gives this as a specific example of something that is NOT reportable as it doesn't contain sensitive personal information. Add in NI numbers, dates of birth or similar, then you've got a serious breach of the DPA that needs to be reported to and investigated by the ICO, but if it's names, addresses and phone numbers only then it really doesn't meet the threshold, in fact for anyone who's not ex-directory, it's public domain already (the phone book).

While a bit embarassing for SS, those of you getting in a froth about the DPA, massive fines and talk of imprisonment need to calm down, acquaint yourself with how the ICO / DPA actually work (the ICO website is really helpful) and stop trying to equate this with serious losses of sensitive personal information, which it clearly isn't.

As a bit of perspective, I was involved with a ICO case where an organisation had lost a laptop, which was not effectively secured, and the hard drive of which contained information about individuals which included sensitive medical information. They had things in place that should have prevented the data being accessible, but those things didn't work in that instance due to a combination of factors, and they took prompt and reasonable action to manage the incident. The ICO took no action.

Did the lappie have a remote self destruct button? 🙂

we had one of those ed. I found out who security had to tell and made sure nothing ever left my sight ever again 🙂

My worry was more that the info presented was the symptom of something worse.The assumption was that it was to do with the e-mail but there is always a chance of hacking. Hence why suggesting the site should have been taken down.