Personal information and sensitive credit card details, including CVV codes, taken in five-day attack.
Attackers have compromised Vision Direct customers’ contact information and financial details, including complete card numbers, expiry dates and the CVV security code.
The UK retailer specialising in contact lenses told a number of its customers this weekend that their details had been stolen in a data breach that lasted five days, between 3 and 8 November.
The attackers made away with personal information, such as full name, address, phone number, email address, and password, as well as customers’ financial details including the CVV security code required to complete online transactions.
“Unfortunately this information could be used to conduct fraudulent transactions,” Vision Direct UK said in a letter to customers.
“Vision Direct has taken steps to prevent any further data theft, the website is working normally and we are working with the authorities to investigate how this theft occurred.”
Vision Direct did not say how many users may have been affected and did not offer an explanation at this early stage.
The company has asked users to review their bank statements as soon as possible and change their passwords on the website.
Questions also remain over whether the firm had been storing CVV codes against PCI standards, as it is not permitted to keep verification codes after payments are authorised.
But it is unclear whether the CVV codes stolen in this breach were previously stored, or intercepted as customers made transactions.
IT Pro asked the retailer how many users were affected, how exactly the attack occurred, and whether the CVV codes stolen were held or intercepted, but did not get a response at the time of writing.
Although there is no official explanation, security researcher Troy Mursch discovered that the attackers may have stolen the data by running a fake Google Analytics script on the UK website, as well as several domains across Europe.
Source: IT Pro