European online contact lens supplier Vision Direct has revealed a data breach which compromised full credit card details for a number of its customers, as well as personal information.
Compromised data includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV. IT security experts commented below.
Craig Young, Security Researcher at Tripwire:
In addition to getting new credit cards, anyone who logged into Vision Direct during this time needs to quickly assess whether this password is unique to Vision Direct. A common attacker technique is to reuse email/username and password combinations on other valuable services. Attackers may use this additional access to create a more comprehensive dossier on a victim which can then either be resold for more money or directly used for identity theft.
Brooks Wallace, Head of EMEA at Trusted Knight:
“Another large merchant’s website is targeted by hackers for customer payment information, using an attack technique that seems all too familiar in 2018. Capturing customer details as they input them onto the website is also how the British Airways and Ticketmaster hackers operated.
“Vision Direct may seem like an unlikely target. However, the retailer claims to be Europe’s biggest online seller of contact lenses and eye care products, suggesting that it was evidently in the crosshairs for the high volume of customers going through the site. The data they managed to take from Vision Direct is the jackpot for the criminals. Payment card numbers, expiry dates and CVV codes are the holy trinity of details needed to make purchases using customer cards. Obtaining the CVV code is especially bad, as this is usually the key in verifying that you are the real card holder.
“If you entered your details on the Vision Direct website between the affected time window (3rd-8th November) you should cancel your card right away. While it may still be sitting in your wallet, effectively your card has been stolen, and you need to take the same recourse you would if it had been pickpocketed.”