PSA--possible Flannery Berserker credit card breach? [UPDATE in First Post 2/14/20]

[David McMillen]

In the past week I've had fraudulent charges post on 2 different credit cards of mine. I've been scratching my head on this and it seems the only recent purchases that aren't "typical" for me (on 2 different cards) are related to buying wine from several wineries. Has anyone else had this happen recently? Could we crowd source a common entity? Or maybe my usual shopping sites are the culprit... Just a total shot in the dark, really but thought I'd ask the community at large.

[MOD EDIT: added update as of 2/14/20]

Hi All, I want to give you an update on what is going on with regards to" the fine mess I've gotten you all in" ! We hired 3 companies to look at each facet of our process; ingress, the platform, and egress. We have identified the problem and removed it. Somehow, a script was added at the egress side ( where the CC info is sent to the card processor). This script effectively made a copy of the card data and at the point where the website sent the billing information to the card processor; it simultaneously diverted the copy to the bad guys. We are now in the process of determining how and when the script got added in the first place; so for this reason, the website is still locked down. We have blocked all of the cards in storage at the processing company, so for any who might have tried to order and were told you card was not accepted, that's the reason. We won't open the site back up until we are absolutely secure- if anyone wants anything in the meantime, call us directly and we'll take care of you. Once again, our sincere apologies for this inconvenience, and we'll keep everyone posted on progress towards a solution. Happy Valentine's Day to everyone! Bryan and Katie

[Mod edit: added Flannery response]

Hi all, I am just seeing this thread now, and want to address as best we can. Last week Amex reached out and said that they were researching potential fraud with cards used prior on our website. We immediately reached out to our payment gateway company (Authorize.net). They did not indicate anything definitive, so we hired an approved scanning vendor to run a full audit of our web site. This is underway right now, but I don't know any results if any yet. We are taking this very seriously, and as we find out more, will post here. To err on the safe side, we are currently gathering all emails of customers who purchased from us on BD to send a note to apprise them of this situation. For those of you who don't already have it, my cell # is 415-819-4366; i'm happy to speak directly with any and all. My sincere apologies for whatever is happening. Bryan

[AndyK]

I've had this happen recently on a brand new credit card that was 9 days old (after getting a replacement because of suspected fraud) and after using it at maybe 5 physical stores and 5 online wine shops... They had my credit card number and street address and used it in combination with someone else's Ticketmaster account to buy expensive Sacramento Kings tickets.

All resolved with the credit card company and Ticketmaster, but thought it's worth sharing.

[Alan Rath]

I got a fraud alert on a replacement card for a card that had been closed, even before I activated it*

*OK, that's hyperbole, but it's a little sad and scary how much fraud is out there, and how often cards are compromised and have to be replace.

[John Morris]

Hmm. Coincidence? David and Andy -- you guys should compare lists of wineries. Also, do they possibly share some backend software or transaction processor for their sales?

I'm always a bit nervous about giving my credit card info to small businesses (such as wineries) because I suspect many do not have very robust security.

Not that big business's record has been great.

[Scott Goodwin]

I actually had a fraud on my CC on the Wed or Th after BD10. They attempted a $0.85 charge at some sort of "restaurant" in CA. Can't recall the name of the town. Nowhere I'd ever heard of. I initially thought it could have been related to BD10 purchases but I use my CC a lot in general (online and in person) so it would be hard to pinpoint where the fraud could have originated.

[bretrooks]

We had a card replacement about a week and a half ago. The attempted charges which our CC company flagged were in the midwest somewhere.

It's a card we use a lot, so I'm not sure it's any of the wine-related places it was on file (listed below), but just in case there is a pattern to be found:
K&L
Benchmark
Tercero

[julianseersmartin]

It's very likely one of the websites you have used is compromised. Share the list of retailers and I would imagine a common entity will emerge.

[JDavisRoby]

Hmm. Coincidence? David and Andy -- you guys should compare lists of wineries. Also, do they possibly share some backend software or transaction processor for their sales?

I'm always a bit nervous about giving my credit card info to small businesses (such as wineries) because I suspect many do not have very robust security.

Not that big business's record has been great.

My card was compromised last year but I have no clue how.

I’ve wondered about the common winery back end. When I search my email for certain producers other wineries that appear to be using the same backend software also pop up. Anyone know why that is?

[Mark Y]

I actually had a fraud on my CC on the Wed or Th after BD10. They attempted a $0.85 charge at some sort of "restaurant" in CA. Can't recall the name of the town. Nowhere I'd ever heard of. I initially thought it could have been related to BD10 purchases but I use my CC a lot in general (online and in person) so it would be hard to pinpoint where the fraud could have originated.

Woa. I had the same thing!!
Chase flagged it as fraud and called me.

Like 83 cents from a restaurant in California.

Only I bought in BD11 was Flannery tho?

[David McMillen]

Wow. Maybe we're on to something, (or maybe coincidence?). I hate to publicly post entities because I don't want to tarnish any names, but 1 place I purchased from has been named already in this thread. In my original post I made the mistake of not saying my unusual purchases were from wineries, online wine stores, and a BD purveyor. That said, I bet most companies are under cyber attack constantly so not sure all this will help much.

[Frank Z]

I've had this happen recently on a brand new credit card that was 9 days old (after getting a replacement because of suspected fraud) and after using it at maybe 5 physical stores and 5 online wine shops... They had my credit card number and street address and used it in combination with someone else's Ticketmaster account to buy expensive Sacramento Kings tickets.

All resolved with the credit card company and Ticketmaster, but thought it's worth sharing.

I also had this happen to me, with an non-new card. A random charge of over $900 from Ticketmaster appeared with the description of Sacramento Kings, but then the charge was refunded/reversed the next day...

[John Morris]

I’ve wondered about the common winery back end. When I search my email for certain producers other wineries that appear to be using the same backend software also pop up. Anyone know why that is?

It might not just be software that a winery uses. The sales part of their website might actually be run by some other company that furnishes that service to wineries.

[AndyK]

I've had this happen recently on a brand new credit card that was 9 days old (after getting a replacement because of suspected fraud) and after using it at maybe 5 physical stores and 5 online wine shops... They had my credit card number and street address and used it in combination with someone else's Ticketmaster account to buy expensive Sacramento Kings tickets.

All resolved with the credit card company and Ticketmaster, but thought it's worth sharing.

I also had this happen to me, with an non-new card. A random charge of over $900 from Ticketmaster appeared with the description of Sacramento Kings, but then the charge was refunded/reversed the next day...

Interesting... Same charge here, $950 and change. Ticketmaster refunded and clearly identified as fraud, Chase closed my card and sent me yet another new one.

Not trying to call out anyone or suggesting their website or partner website was hijacked, but here's the list of wine related stores I've used my credit card in the 9 days I've had it before the fraud occurred: Crush, Flannery, wine.com, Ceritas.

[Frank Z]

I've had this happen recently on a brand new credit card that was 9 days old (after getting a replacement because of suspected fraud) and after using it at maybe 5 physical stores and 5 online wine shops... They had my credit card number and street address and used it in combination with someone else's Ticketmaster account to buy expensive Sacramento Kings tickets.

All resolved with the credit card company and Ticketmaster, but thought it's worth sharing.

I also had this happen to me, with an non-new card. A random charge of over $900 from Ticketmaster appeared with the description of Sacramento Kings, but then the charge was refunded/reversed the next day...

Interesting... Same charge here, $950 and change. Ticketmaster refunded and clearly identified as fraud, Chase closed my card and sent me yet another new one.

Not trying to call out anyone or suggesting their website or partner website was hijacked, but here's the list of wine related stores I've used my credit card in the 9 days I've had it before the fraud occurred: Crush, Flannery, wine.com, Ceritas.

Mine was also a Chase card and I requested a replacement as well (the charge was on 2/1, refunded on the 2/2). And as for stores I used mine at: Starbucks, Amazon, and Flannery... hmm..

[T Welch]

Mine was a Citibank card and I purchased from Flannery, also. Citibank called me regarding a bogus $78 hotel (I think the business was something like HotelTonight, the reviews are brutal) charge in San Francisco.

[AndyK]

4 mentions of Flannery... I don't believe in coincidences

[Ethan Abraham]

Me too. I sent them an email to alert them.

[Br1an Th0rne]

.

[AndyK]

Me too. I sent them an email to alert them.

5 people so far. I tried calling them multiple times and left a voice mail

[Richard Jen]

Not sure it's Flannery but that's one of the merchants I bought from during BD. Got $0.1 from Wilborniti Turkey Run US last Thursday, then $600+ from GB which Citi marked as fraud and contacted me immediately.

[brigcampbell]

Me too. I sent them an email to alert them.

5 people so far. I tried calling them multiple times and left a voice mail

Did anyone have a breach RIGHT after BD11 and didn't purchase Flannery?

[Frank Z]

Me too. I sent them an email to alert them.

5 people so far. I tried calling them multiple times and left a voice mail

I sent Bryan a text as well. Nothing is conclusive or definitive as everything still may in fact be coincidental, but just wanted to make sure that they're aware.

[AndyK]

David, it may be good to change the title in the OP to something that urges people to check their statements if they bought at Flannery during BD11.

Seems like a serious breach, they had my full name, address, and credit card information based on my call with Ticketmaster.

[Sean_S]

This happens to me 2-3 times a year literally and has for years upon years...

[AndyK]

Sean, I'm sure you didn't mean it this way, but the fact that this happens is not an excuse and this is still a serious problem.

[Todd F r e n c h]

I ordered Flannery, no fraud on my card - will email them though

[Mark Y]

Shoot.. i do not mean to bash on Flannery.. freakin' loved the meat.. i was just shocked someone had the same thing happen as me.. (80 some cents from a restaurant in CA).. and I only made one purchase on BD. Looking at my statement, that's the only 'unusual' purchase i made within about a 10 day window (the rest are common lunch spots near work, etc).

[Orlando De Jesus]

Mine was Flannery as well that same day. The fraud was from Ticketmaster for SB Music Festival $464 (super bowl or santa barbara music festival). I am still debating with the bank. I call immediately it appeared as approved, but not billed. Ticketmaster never responded me.

[AndyK]

Not trying to bash Flannery and hoping it’s not them as I have purchased multiple times in the past with no issues and live their product, but based on the data points from this thread, there is zero reason to believe it’s not them or one of their partners...

[AndyK]

Mine was Flannery as well that same day. The fraud was from Ticketmaster for SB Music Festival $464 (super bowl or santa barbara music festival). I am still debating with the bank. I call immediately it appeared as approved, but not billed. Ticketmaster never responded me.

Call Ticketmaster, they were very responsive and called me back the same day

[J. Rock]

Probably unrelated, but there was fraud on my card for the first time in a long time (or that I can remember) on 1/17/20 when someone tried to buy a little under $300 worth of goods at a place called Winter Kids Online. The only wine store related purchase I made anywhere around that time was at K&L (online) a few days prior.

I'm thinking it's just coincidence, but I figured I'd share just in case there's a trend.

[dave kammerer]

I have had several cards scammed, most of the problems were gas purchases at stations on the road. One was at a restaurant where they take the card away to process. Solution for the gas station issue was to get a new card with the tap to pay feature, this seems to avoid the scimmers at the pump.

[Scott Goodwin]

I actually had a fraud on my CC on the Wed or Th after BD10. They attempted a $0.85 charge at some sort of "restaurant" in CA. Can't recall the name of the town. Nowhere I'd ever heard of. I initially thought it could have been related to BD10 purchases but I use my CC a lot in general (online and in person) so it would be hard to pinpoint where the fraud could have originated.

Woa. I had the same thing!!
Chase flagged it as fraud and called me.

Like 83 cents from a restaurant in California.

Only I bought in BD11 was Flannery tho?

Just for the record, Flannery was one of the (several) places I purchased from on BD.

[bob poirier]

I also ordered from Flannery and had a similar fraud issue recently

[David McMillen]

One of my purchases was Flannery as well. As several people have mentioned already contacting them, I won't. I hope the guilty thieves get their due and feel bad for any small business trying to get by in an age of internet predators at every step.

[MICHAEL C R O M W E L L]

Flannery purchase here too, fraud appeared within 36 hrs. Damn shame, the hanger steaks were delicious

[R yan C omaz zetto]

I bought from Flannery on BD too - no CC fraud.

[Jeff_D]

My Chase card was compromised and used for $1 at a gas station in Decatur, GA on Sat. 2/1. Probably someone testing it out and Chase denied it and flagged it as fraud. I did not order from Flannery. Bought from several others on BD11 but it’s the card I used for most purchases not just wine.

[Chris Seiber]

I also ordered from Flannery on BD and had to replace the credit card shortly afterwards.

[Mich@el Ch@ng]

same

[D@ve D y r 0 f f]

I did just have a breach discovered on Saturday ($100 exactly at Massage Envy, plus a <$1.00 charge at Massage Envy, and another $100 charge at some online clothing retailer in CA - I assume the $100 even charges were attempts to buy gift cards?). An annoyance because this was a fairly recently re-issued card and it's the one we use most, and for many recurring items, so I get to go through and re-enter all of those yet again...

I made a few BD11 purchases, all with this card, but I did NOT make a Flannery purchase this time. Grassl, Terrien, Calluna, Balanced, Wilde Farm.

Of course, whoever got my info could have gotten it weeks ago and only now did they (or someone who bought it from them on the dark web) try using it.

[Albert R]

I purchased from Flannery and others on BD11. No breach on my card.

[Alan Rath]

I also ordered from Flannery on BD and had to replace the credit card shortly afterwards.

Same story here. Feel bad for them if there was some problem, don't want them to get a bad rap, love them and the products, and will keep buying!

[Scott Watkins]

I bought Flannery and no fraud on my card.

[Sarah Kirschbaum]

Me too - purchased from Flannery on BD and had to replace Amex Platinum. It's the first time I've ever had an issue with that card. Not holding anything against Bryan, of course!

[Mich@el Ch@ng]

I also had a fraudulent charge from wilbornti

[bryan flannery]

Hi all, I am just seeing this thread now, and want to address as best we can. Last week Amex reached out and said that they were researching potential fraud with cards used prior on our website. We immediately reached out to our payment gateway company (Authorize.net). They did not indicate anything definitive, so we hired an approved scanning vendor to run a full audit of our web site. This is underway right now, but I don't know any results if any yet. We are taking this very seriously, and as we find out more, will post here. To err on the safe side, we are currently gathering all emails of customers who purchased from us on BD to send a note to apprise them of this situation. For those of you who don't already have it, my cell # is 415-819-4366; i'm happy to speak directly with any and all. My sincere apologies for whatever is happening. Bryan

[AndyK]

I hope you're able to resolve this quickly and without too much impact on your business, Bryan!

FWIW, we'll be cooking some Flannery hanger tonight (was already in the plans )

[brigcampbell]

I'm taking Bryan's post and sticking into the OP so people will see his response immediately.

[Mich@el Ch@ng]

Bank of America said that there were incorrect expiration dates and CVV codes entered