Cyber Hack against Vision Direct

Share on Social

A cyber hack has exposed thousands of Vision Direct customers’ personal data.

Close up of an eye

The hack against the contact lens retailer has exposed customers’ payment card numbers, expiry dates and CVV codes. This includes payment card information for Visa, Mastercard and Maestro.

The site has warned that anyone who entered their details into the site between 12.11am on 3 November and 12.52pm on 8 November could be affected, adding that they have identified 16,300 at risk.

Vision Direct’s websites in the UK, Ireland, The Netherlands, France, Spain, Italy and Belgium are all said to have been affected.

This hack succeeded by placing a fake Google Analytics script within the websites’ code.

The BBC has noted that a spokeswoman for the company explained that 6,600 customers are believed to have had their details compromised whilst a further 9,700 have had personal data stolen excluding their card details. She added:

“This particular breach is known as Shoplift and was already known to our technology team, who installed a patch provided by our web platform provider to prevent this form of malware,”

Vision Direct has since issued an apology to their customers and will be contacting those with compromised details.

A serious breach

A cyber security researcher explained that the involvement of card security codes made this breach particularly serious.

Normally, providing your CVV code would mean you have your card to hand when making the purchase, which is in itself a security check. This check is devalued if attackers can steal this information.

What should you do

Check your bank or credit card statements. If you spot anything unfamiliar or unusual then make sure you contact your bank immediately.

Phishing scams may be used in the fallout of this news to fool people into revealing information. Always ensure you know who you are speaking with and that they are genuine. Be cautious about clicking on any links in text messages or emails.

Change your passwords. If you use the same password on multiple sites then make sure to change it, ideally using a different password for each site.

Cyber Essentials

Cyber Essentials certification shows that your business has controls against cyber attacks in five areas of your IT systems. If a criminal uses bespoke tools that he has created to gain access, then Cyber Essentials will not be adequate to protect your systems, but for the more common and freely available tools it is a great starting point. The certification covers:

  1. Boundary firewalls and internet gateways
  2. Secure configuration
  3. Access Control
  4. Malware Protection
  5. Patch Management

It is a good first step for all businesses to take to protect themselves from common threats.

You can get started here