In a five-day attack between the 3rd and 8th of November, over 16,300 customers of the online optical retailer, Vision Direct, had their personal details exposed, with 6,600 including card data. Sensitive information included full names, addresses, email addresses, passwords, telephone numbers and payment card information, such as the card number, expiry date and CVV.
The apparent cause of the breach is said to have been a fake Google Analytics script placed within the coding of Vision Directs’ website, allowing hackers to compromise their security defences. This not only affected their UK site, but local versions for Ireland, the Netherlands, France, Spain, Italy and Belgium.
A spokeswoman for Vision Direct said:
“This particular breach is known as Shoplift and was already known to our technology team, who installed a patch provided by our web platform provider to prevent this form of malware. Unfortunately, this current incident appears to be a derivative against which the patch proved ineffective. We are continuing to investigate the breach and have made numerous steps to ensure this does not happen again.”
The contact lens and eye care retailer is in the process of taking the necessary precautions to prevent any further data breaches and has issued an apology to any of its customers that may have been affected. They issued a statement informing people that if they had updated their details during the stated period, or had submitted an order or requested an update, they should contact their banks or credit card providers.
Vision Direct added that they had informed customers that anyone experiencing financial loss due to the breach will receive compensation.
This has been one of many high-profile online data breaches involving card data that have occurred in 2018, including British Airways and NewEgg. Organisations that rely primarily on ecommerce sales could potentially face greater fallout from a data breach, damaging their online sales and credibility until they rebuild their customers’ trust.
Protecting consumer data is vital, especially for ecommerce organisations where hackers are becoming increasingly more sophisticated in their attempts, developing their approach daily. By directing customers to pay on a secure PCI-DSS compliant web payments page that is hosted off premise and doesn’t store sensitive cardholder data (CHD), the risks involved when processing payments will dramatically reduce. The website database and network environment is descoped from any QSA Audit or PCI-DSS Self -Assessment, and the organisation’s responsibility to protect their customer’s financial data during the payment stage is passed onto a dedicated PCI-DSS compliant organisation.