[BreachExchange] Attackers steal credit card details in Vision Direct data breach

Mon Nov 19 09:28:31 EST 2018

https://www.itpro.co.uk/data-breaches/32393/attackers-steal-credit-card-details-in-vision-direct-data-breach

Personal information and sensitive credit card details, including CVV
codes, taken in five-day attack

Attackers have compromised Vision Direct customers’ contact
information and financial details, including complete card numbers,
expiry dates and the CVV security code.

The UK retailer specialising in contact lenses told a number of its
customers this weekend that their details had been stolen in a data
breach that lasted five days, between 3 and 8 November.

The attackers made away with personal information, such as full name,
address, phone number, email address, and password, as well as
customers’ financial details including the CVV security code required
to complete online transactions.

"Unfortunately this information could be used to conduct fraudulent
transactions," Vision Direct UK said in a letter to customers.

"Vision Direct has taken steps to prevent any further data theft, the
website is working normally and we are working with the authorities to
investigate how this theft occurred."

Vision Direct did not say how many users may have been affected and
did not offer an explanation at this early stage.

The company has asked users to review their bank statements as soon as
possible and change their passwords on the website.

Questions also remain over whether the firm had been storing CVV codes
against PCI standards, as it is not permitted to keep verification
codesafter payments are authorised.

But it is unclear whether the CVV codes stolen in this breach were
previously stored, or intercepted as customers made transactions.

IT Pro asked the retailer how many users were affected, how exactly
the attack occurred, and whether the CVV codes stolen were held or
intercepted, but did not get a response at the time of writing.

Although there is no official explanation, security researcher Troy
Mursch discovered that the attackers may have stolen the data by
running a fake Google Analytics script on the UK website, as well as
several domains across Europe.

Perhaps running against the consensus, CEO of web security firm
High-Tech Bridge Ilia Kolochenko has branded this incident “much fuss
about nothing”.

"Allegedly, the breach lasted for five days and impacted only a very
limited, statistically negligent, number of customers,” he said. We
have been seeing much worse data breaches occur on a daily basis.

"Similarly, the supposed method of data theft via a fake Google
analytics script presumably inserted by developers’ mistake is not
novel or otherwise remarkable. Instead it is just one more colourful
example of when a human is the weakest link."

"Strange that such a visible hack remained undetected by third parties
for five consecutive days however."

The Information Commissioner’s Office (ICO) told IT Pro it had not yet
received any reports concerning the Vision Direct data breach.

"Organisations must notify the ICO within 72 hours of becoming aware
of a personal data breach unless it does not pose a risk to people’s
rights and freedoms," an ICO spokesperson said.

"If an organisation decides that a breach doesn’t need to be reported
they should keep their own record of it, and be able to explain why it
wasn’t reported if necessary.

"All organisations processing personal data should do so safely and
securely. If anyone has concerns about how their data has been
handled, they can report these concerns to us."