Vision Direct Hack Grabs Payment Card Details

The attack, affecting some 16,300 people, skimmed full payment information as it was entered on the site over a period of several days earlier this month

Security experts have said a hack that exposed the payment card details of thousands of Vision Direct customers appears to have used methods similar to those that have recently affected British Airways and Ticketmaster.

Vision Direct, which describes itself as Europe’s biggest online retailer of contact lenses and eye-care products, said it had identified some 16,300 people affected by the incident.

The compromise exposed data including payment card numbers, expiry dates and CVV codes.

Users who entered their information on the site between 3 and 8 November may have been affected, the firm said.

HSBC, securityMalicious script

It said a fraudulent Google Analytics script placed on the site was the apparent means of attack.

The UK site was affected as well as those in Ireland, the Netherlands, France, Spain, Italy and Belgium.

An estimated 6,600 customers had their payment details compromised, with a further 9,700 having personal details exposed, but not payment information.

Vision Direct said the exploit was known as Shoplift and that the site had already been patched to deal with the issue.

“Unfortunately, this current incident appears to be a derivative against which the patch proved ineffective,” the firm said in a statement. “We are continuing to investigate the breach and have made numerous steps to ensure this does not happen again.”

As well as customers who entered or updated their details during the period in question, those who had an order or update submitted for them by customer services representatives may also have been affected, the firm said.

It advised those who may have been affected to contact their banks or card providers.

Card details stolen

“The personal information was compromised when it was being entered into the site and includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV,” Vision Direct said in an alert.

Those using PayPal on the site during the period in question may have had names and addresses accessed, but not payment details.

The company, owned by France’s Essilor International, said it had informed the UK’s data regulator and Google about the attack.

Vision Direct said it would compensate customers who suffered a financial loss from the breach.

Other recent breaches have involved similar “card skimming” attacks, which steal information as it’s entered, rather than accessing data stored by a company.

A British Airways hack that affected 380,000 users in August and September appears to have involved third-party code inserted into BA’s site. That hack also affected users of BA’s mobile app.

E-commerce sites targeted

A June hack that affected up to 40,000 Ticketmaster customers in the UK is also thought to have relied on similar technology.

Leigh-Anne Galloway, cyber-security resilience lead at security firm Positive Technologies, said e-commerce firms are an an attractive target for hackers, but can protect themselves by installing critical updates, using web application firewalls, carrying out file integrity monitoring and having a content security policy for the web application.

“Companies handling a high volume of customer data cannot afford to be lax when it comes to their website security,” she said. “As this attack and other attacks this year have shown, hackers are actively targeting the website to extract customer data.”