LONDON – Jayne Mitchell was looking for a travel electrical adapter and insect repellent for a trip to India when she came across www.travelwithcare.com.
"I did a search, and they were the first site that came up. I bought the stuff straight away," she said.
Mitchell, who regularly shops online for everything from groceries to electrical goods and concert tickets, thought nothing of entering her credit-card details along with her address and phone number and made the purchase at 7:12 p.m. on March 1.
Two weeks later, on safari in Rajasthan, she and her husband, Phil, received a call from their daughter to say that Barclays Bank had been in touch about suspicious transactions.
"Two attempts had been made to purchase goods totaling £950 [$1,700] in America in the previous couple of days and they asked if we recognized them," Mitchell, 47, a property consultant, said. "We said, 'No,' and the card was canceled immediately."
Another travelwithcare.com customer, David Brown, bought a money belt, Swiss Army knife and towel at 4 p.m. on March 1 for his son's backpacking trip.
Two days later, a $166 (£95) transaction was made on his account at www.bluehost.com, a Web-hosting company in Utah.
A second came four days later at Cordia IP, an Internet-based VoIP (Voice over Internet Protocol) provider, for $123.
After the third, for £5 ($8) in France, his bank got in touch and the account was canceled.
The Times was passed Mitchell's and Brown's phone and credit card numbers, along with those of 22 other names that had been stolen from a British server.
By ringing the calling on the list and checking which purchases they had made at that time, the paper was led to Homeway/Travel With Care, based in Amesbury, Wiltshire.
Eight customers that The Times was able to contact confirmed that they had purchased goods from the company on either March 1 or 2.
Shortly after that, Travelwithcare's server was, unknown to the company, apparently hacked into and some of its customers' credit-card numbers, addresses, phone numbers, dates of birth and e-mail addresses were stolen.
Within days, the information had been posted in an Internet chatroom frequented by fraudsters based in Eastern Europe or southeast Asia and sold for as little as $100. The card numbers — without PINs — along with other personal details would have fetched about $5 each.
Almost all the customers were contacted by their banks, which reported that fraudulent transactions had been attempted on their cards.
"It's really frightening," said Mitchell, from Stamford, Lincolnshire. "I don't take many precautions other than try to use names I think are trusted. But how would you know?"
"It is scary," Brown, a retired teacher from Pontefract, Yorkshire, said. "One assumes buying online is safe, but I shall certainly have reservations and be much more cautious."
On December 27 the personal details of eight Britons were taken from a server and posted shortly afterwards in a chatroom whose users have names such as "The Ripper", "Dark Night" and "The Loner."
The Times contacted six of the card holders and they confirmed that they had tried that day to buy a Sony Vaio laptop from Systems Assurance, a Sheffield-based computer retailer.
One of them was Steve Kemp, a structural engineer from Southampton, whose bank was alerted when somebody had attempted a $1 transaction with a company called Yahoo Wallet.
"They'll request a small amount to check that the account is still active and then whack you for thousands of pounds," said Kemp, 29, who rarely shops online.
Chris Wheater, the managing director of Systems Assurance, said that he was unaware of any breach and that his company reviewed its computer security every week. He added that the site had stopped taking Internet orders and took payment only by check.