Credit card details may have been stolen from runners after a security breach in a payment system used by several East Anglian races.
Active Network, an American company, has revealed the personal information of runners may have been compromised during a nine-month period from 2016 to 2017.
The site can be used to sign up to popular races all over the country, including Run Norwich and many other races in Norfolk and Suffolk, such as the Snetterton Race Track Half Marathon.
One runner on the Run Anglia Facebook group said: 'I just realised that shortly after signing up for Snetterton my bank phoned me to ask if it was me buying something for £250 from John Lewis as the transaction looked suspicious.
'It wasn't me and they sorted it but this explains it now.'
Another added: 'I got done along with several friends after signing up for Snetteron last year.
'It isn't anything to do with the race organisers, just the company they use to do the sign up.'
They added: 'I was in the middle of Thetford Forest marshalling an event when I had my call from the bank... was I trying to buy something from Argos at £500.'
Active Network has contacted some affected race-goers, saying in an email that 'personal information provided as part of the checkout process may have been accessed by unauthorised third parties'.
It in the email that people were affected between December 2016 and September 2017 and the data included names, addresses, email addresses, credit or debit card numbers, expiration dates and cardholder verification codes (the three digit value included on the back of payment cards and used for verification of certain transactions).
Active Network also said it had contacted the Information Commissioner's Office.
An ICO spokesman said: 'Organisations have a legal duty to ensure the security of any personal data they process.'
He added: 'We are aware of an incident relating to Active Network and are making enquiries.'
Active Network did not respond to our request for more information about the security breach.
What to do if you think you might be affected:
James Bishop, a Norwich-based expert in information and IT security, said: 'I'd say that people should be checking their statements for even small transactions that they don't recognise, ones for even under a pound.
'What the crooks will often do is put through a small transaction to prove to potential buyers that the card is active and can be used, before the card and personal information is sold on the dark web.
'And if they have any doubts at all, to contact their banks and request a new card, stating they used a compromised provider.
'Also, because the personal information included here, even without the credit cards, is possibly sufficient to be used in identity theft, watch out for any strange letters, account activity or calls from retailers regarding accounts they've not set up.'
New cyber-security rules
The data breach shows why cyber-security rules are in the process of being beefed up.
On May 25, the current Data Protection Act will be superseded by a much more forceful piece of EU legislature, the GDPR (General Data Protection Regulation).
A breach would give the Information Commissioner's Office (ICO) the power to fine companies up to €20 million, or 4pc of annual global turnover – whichever is higher, for a breach of people's personal information like this.
And this can be levied globally, so being an American company, like Dallas-based Active Network, would make no difference.
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here