Incident Of The Week: UK-Based Vision Direct Discloses Data Breach

Magecart Group May be Responsible

Esther Shein

UK eye care company Vision Direct has disclosed an undetermined number of customers’ financial and other personal data was leaked earlier this month after a breach of its website.

The breach occurred between Nov. 3 and Nov. 8, according to Vision Direct, which claims to be the largest e-tailer of contact lenses and eye care products and services in Europe. It identified 16,300 people as being at risk, the company told the BBC.

It has since been resolved and “Vision Direct has taken the necessary steps to prevent any further data theft, the website is working normally, and we are working with the authorities to investigate how this theft occurred, ’’ the company said in a statement.

The breach occurred when “fake Google Analytics JavaScript designed to capture card details, appears to have been planted by the prolific cybercrime gangs known as Magecart,” according to Data Breach Today. Magecart refers to a group of persistent credit card skimming hackers. There are at least six distinct groups operating Magecart skimming scams, each with their own approach, according to TechCrunch.

See Related: Incident Of The Week: May Eye Care And Health First Both Report Breaches Of Customer Information

In addition to Vision Direct’s UK site, its local sites in Ireland, the Netherlands, France, Spain, Italy and Belgium were also impacted.

A Vision Direct spokeswoman told the BBC that the financial data of 6,600 customers is believed to have been compromised, while another 9,700 people had personal data but not card details exposed.

Included among the compromised personal information were patient names, phone numbers, email addresses, passwords and credit card information, Vision Direct said. While storing CVV data in any form is prohibited by Payment Card Industry Data Security Standard specifications, the company said if it was entered between 12:11 GMT on Nov. 3 and 12:52 p.m. on Nov. 8th, it may have been compromised.

It is particularly serious when card security codes are breached, cyber security researcher Scott Helme told the BBC. Helme also told The Register the attack appeared to be similar to ones suffered by British Airways and Ticketmaster. Both of those companies were also targeted by Magecart cyber hackers exploiting "third party dependencies or weaknesses in the application itself," The Register reported.

Customers using PayPal during the compromised period were not impacted by the breach, according to Vision Direct. Any customer who logged in or updated details on their Vision Direct UK account during that time period is advised to contact their bank or credit card company for advice, the company recommended. RiskIQ advises retail website owners to take a layered approach to security with patches and segregated servers, TechCrunch reported.