Thousands of Vision Direct customers’ data exposed in hack
Written by Hannah McGrath
The personal and credit card details of thousands of customers of Vision Direct have been exposed following a major hack on the online contact delivery service.
Vision Direct confirmed that customers entering their details onto its website between 3 and 8 November could have had their credit card numbers, expiration dates and CVV codes stolen, with 16,300 customers potentially affected.
Europe’s largest online seller of contact lens products said that a fake Google analytics script which had been secreted in the site’s code was the source of the hack.
Sites in the UK, Ireland, Netherlands, France, Spain, Italy and Belgium were affected.
Vision Direct told the BBC that 6,600 customers were understood to have had their financial data compromised while 9,700 people had more general personal data exposed.
A statement posted to the company’s website said this data was compromised when entering data on the website and not from the Vision Direct database.
It added that the breach has been resolved and the website was now working normally.
Customers who logged into their Vision Direct account on the affected dates are being advised to contact their bank or credit card providers. Customers using PayPal were unaffected.
The online statement said: “We understand that this incident will cause concern and inconvenience to our customers. We are contacting all affected customers to apologise and continue to inform you of any updates in the next few days.”
The spokesman said: “This particular breach is known as Shoplift and was already known to our technology team, who installed a patch provided by our web platform provider to prevent this form of malware.
“Unfortunately, this current incident appears to be a derivative against which the patch proved ineffective. We are continuing to investigate the breach and have made numerous steps to ensure this does not happen again."
The breach comes after major firms including Dixons Carphone and British Airways experienced hacking attempts which left thousands of customers’ data exposed.
A recent report from Veracode, an application security company, found that 66 per cent of applications used by retailers are vulnerable to information leakage attacks which could leave sensitive data such as date of birth and financial details exposed.
The report found that technology and financial were the two sectors worst-hit by information leakage, with retail coming in third.
However, when it came to addressing flaws in software, retail came second only to healthcare in its speed of shutting down potential vulnerabilities.
Commenting on the survey results, Paul Farrington, director of EMEA at Veracode, said: “With the busy holiday shopping season arriving, vulnerabilities in applications can allow attackers seeking sensitive information such as consumer payment data a way in.”
He added: “Many retailers are showing an aptitude for remediating flaws quickly to help improve security and protect their high value information. This is promising, yet the persistence and prevalence of vulnerabilities that continues to plague retailers calls for both increased speed of fix and better prioritising which flaws to fix first.”