US

Security notice – important information for Train Trax UK customers

Last updated: 13th Feb 2026

I didn’t want to have to write this, but we need to share a serious security update.

Summary

We identified and removed malicious code on our website. Out of an abundance of caution, we are notifying customers that details entered on our website may have been compromised.

What happened

  • Monday 2 February: we were alerted to the possibility that our checkout may have been compromised
  • Tuesday 3 February: we confirmed the issue, disabled the site immediately, and alerted the ICO
  • Wednesday 4 February: after making the site safe, we re-enabled it

Since then, our own developers Firepages, and Wordfence’s specialist incident response team have investigated. Wordfence identified malicious code on the site and removed it.

  • Thursday 12 February: we emailed all customers who bought from us over the last two years out of an abundance of caution.

We believe it is currently safe to browse and place orders via the website including using credit cards. If you'd rather place orders another way then please contact us (details below).

What information may be involved

At this stage, the information that may be affected could include details entered at checkout, such as:

  • Name
  • Billing/shipping address
  • Email address and phone number
  • Order details

Payment card details: based on what we currently know, any risk here mainly relates to customers who entered card details at checkout (card payments processed via Stripe). No card details are normally stored on our systems.

We are aware that some customers have had card details used elsewhere after shopping with us. We’re extremely grateful to those who reported this quickly, because it helped us identify the problem.

Timing

Although we were alerted on 2 February and acted immediately, the investigation suggests the issue may have been present earlier. We’re still working to confirm the time window and scope, and we’ll share clearer information if we can do so confidently.

What we recommend you do now

  1. Check your bank/card statements for any transactions you don’t recognise
  2. If you entered card details at checkout on our site recently, contact your card provider and ask them to monitor your account (they may recommend replacing the card)
  3. Be alert to phishing. We will never ask for passwords or payment details by email
  4. If you reuse passwords across sites, change them, and use a unique password for important accounts

What we’re doing next

We had protection in place before this incident, but it did not work as it should have. We’re taking that extremely seriously, and we’re applying hardening and security recommendations coming out of the investigation.

Contact

If you have any questions, please reply to this email and we’ll help as best we can. You can also contact us at help@traintrax.co.uk. As a tiny business we have limited capacity to answer the phone in realtime but if you need to speak with us in person then please try 01904 215416.

We’re genuinely sorry for the worry and inconvenience this may cause. Thank you to all those who have sent messages of support since we announced this.

— Ian, TrainTrax / Model Railway Magic Ltd

"Probably the largest range of Kato Unitrack, Unitram
and buildings available in the UK today"

Train Trax exclusively Kato!

Model Railway Magic Ltd
Unit 15
The Bull Centre
Stockton Lane
York
YO32 9LE

Email: help@traintrax.co.uk

Tel: 01904 215416

VAT Regn No. GB 397 2064 71
Company Number: 12703527

Facebook
Twitter
fb-share-icon
Instagram

(C) Model Railway Magic Ltd 2023

site by firepages
Join Waiting list We will inform you when the product arrives in stock. Please leave your valid email address below.