Attackers steal credit card details in Vision Direct data breach

Personal information and sensitive credit card details, including CVV codes, taken in five-day attack

Attackers have compromised Vision Direct customers' contact information and financial details, including complete card numbers, expiry dates and the CVV security code.

The UK retailer specialising in contact lenses told a number of its customers this weekend that their details had been stolen in a data breach that lasted five days, between 3 and 8 November.

Advertisement - Article continues below

The attackers made away with personal information, such as full name, address, phone number, email address, and password, as well as customers' financial details including the CVV security code required to complete online transactions.

"Unfortunately this information could be used to conduct fraudulent transactions," Vision Direct UK said in a letter to customers.

"Vision Direct has taken steps to prevent any further data theft, the website is working normally and we are working with the authorities to investigate how this theft occurred."

Vision Direct did not say how many users may have been affected and did not offer an explanation at this early stage.

The company has asked users to review their bank statements as soon as possible and change their passwords on the website.

Questions also remain over whether the firm had been storing CVV codes against PCI standards, as it is not permitted to keep verification codes after payments are authorised.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

But it is unclear whether the CVV codes stolen in this breach were previously stored, or intercepted as customers made transactions.

IT Pro asked the retailer how many users were affected, how exactly the attack occurred, and whether the CVV codes stolen were held or intercepted, but did not get a response at the time of writing.

Although there is no official explanation, security researcher Troy Mursch discovered that the attackers may have stolen the data by running a fake Google Analytics script on the UK website, as well as several domains across Europe.

Perhaps running against the consensus, CEO of web security firm High-Tech Bridge Ilia Kolochenko has branded this incident "much fuss about nothing".

"Allegedly, the breach lasted for five days and impacted only a very limited, statistically negligent, number of customers," he said. We have been seeing much worse data breaches occur on a daily basis.

"Similarly, the supposed method of data theft via a fake Google analytics script presumably inserted by developers' mistake is not novel or otherwise remarkable. Instead it is just one more colourful example of when a human is the weakest link."

Advertisement - Article continues below

"Strange that such a visible hack remained undetected by third parties for five consecutive days however."

The Information Commissioner's Office (ICO) told IT Pro it had not yet received any reports concerning the Vision Direct data breach.

"Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people's rights and freedoms," an ICO spokesperson said.

"If an organisation decides that a breach doesn't need to be reported they should keep their own record of it, and be able to explain why it wasn't reported if necessary.

"All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us."

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/security/phishing/355810/zloader-malware-returns-as-a-coronavirus-phishing-scam
phishing

ZLoader malware returns as a coronavirus phishing scam

27 May 2020
Visit/security/hacking/355806/anarchygrabber-hack-steals-discord-tokens-ids-and-passwords
hacking

AnarchyGrabber hack steals Discord tokens, IDs and passwords

27 May 2020
Visit/security/hacking/355801/scammers-using-coronavirus-contact-tracing-in-hacking-attempt
hacking

Scammers leverage contact-tracing in hacking attempt

27 May 2020
Visit/security/phishing/355793/gitlab-phishes-its-remote-employees-and-1-in-5-fell-for-it
phishing

GitLab phished its employees and 20% handed over credentials

26 May 2020

Most Popular

Visit/infrastructure/server-storage/355785/dell-emc-poweredge-r7525-review-an-epyc-core-density-to-make
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Visit/infrastructure/network-internet/355792/intel-releases-wi-fi-and-bluetooth-driver-updates-for
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020
Visit/operating-systems/microsoft-windows/355781/microsoft-confirms-further-issues-with-troublesome
Microsoft Windows

Microsoft's latest Windows 10 update is causing yet more issues

26 May 2020