Vision Direct, which claims to be Europe’s biggest online seller of contact lenses and eye care products, has admitted to a damaging data breach which has exposed customers’ personal data, including payment card numbers, expiry dates and CVV codes.
The company, which has yet to reveal how many customers have been affected, said anyone who entered their details into its site between November 3 and November 8 could have had their data compromised.
Although there is no official explanation, security researchers have discovered that the attackers may have stolen the data by running a fake Google Analytics script on the UK website, as well as several domains across Europe.
A statement on Vision Direct’s site said: “The personal information was compromised when it was being entered into the site and includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV. We understand that this incident will cause concern and inconvenience to our customers. We are contacting all affected customers to apologise.”
Vision Direct’s site had previously said that all card payments made to its service were “totally secure” and that it had never once heard of a case of them being misused.
In the meantime, its Twitter account has been telling customers that “compensation will be considered on a individual basis should there be any material loss incurred”.
The Information Commissioner’s Office told said it had yet to be formally notified of the incident. “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms,” said a spokeswoman. “If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.”
Related stories
Eurostar warns customers as hackers strike once more
Cathay Pacific data breach hits 9.4 million customers
British Airways grovels as 380,000 hit by data breach
Data breach complaints soar by 160% in three months
British Airways grounded as data privacy storm erupts
Superdrug has bad hair day as online data goes AWOL
Butlin’s customer holiday plans exposed in online raid
Dixons Carphone fesses up that 10m were hit by breach