Opticians Vision Direct has become the latest high street retailer to suffer a data breach. The company issued a warning to customers yesterday that its website – visiondirect.co.uk – had been compromised. It stressed that hackers had only stolen data from the website and not the Vision Direct database.
Its statement said that: “The breach has been resolved and our website is working normally.”
The company said that the breach occurred between 12.11am GMT 3rd November 2018 and 12.52pm GMT 8th November 2018. During that period, hackers were intercepting data as it was being entered into the site by customers. It also affected data being updated by its customer service team on behalf of customers. As a result hackers were able to grab payment data including the CVV (three digit code).
Vision Direct has wanted that the customer data compromised is believed to include:
- Full name
- Billing address
- Email address
- Telephone number
- Payment card information, including card number, expiry date and CVV.
The company has said that this affects any customers using Visa, Mastercard and Maestro. However, those customers using PayPal are believed to not be affected.
What should customers do?
There are several actions any affected Direct Vision customer should immediately take. This includes:
- Contact credit card companies and banks to get payment cards changed.
- Add fraud detection to credit monitoring reports. At the moment it is unknown if Vision Direct will offer customers credit protection cover.
- Check all credit card and bank statements carefully and report unusual transactions. These often start with a charge under £1 to see if the card is still active. After that, the card will be used for increasingly larger transactions.
- Change username and password on Vision Direct site. This should also be done on any site where there is a possibility of the same password being used.
- Implement multi-factor authentication on all sites that they shop on if it is available.
How did this happen?
Once again this is an attack against a website using a malicious piece of code. This follows on from attacks on British Airways, Ticketmaster, Shopper Approved, NewEgg and other retailers. The hackers were able to substitute a piece of code for their own. In this case it is believed that they used a dodgy Google Analytics script.
How the attackers were able to substitute their own code for the correct Google Analytics script will be the subject of any investigation. Changes to any code on the website should have been identified, tracked and require approval. Until the investigation is complete it is hard to say if this was caused by a vulnerability or aided by an insider. If the latter it could be a malicious individual or someone who was tricked into uploading the code.
A more serious possibility could be that someone had their security credentials compromised. Even if that isn’t the case, Vision Direct should be asking all staff to change their passwords immediately.
What does the industry say?
Responses to this attack have been predictable. Most comments have warned of the size of any GDPR fine. Until we know how the attack happened and how many customers are affected, the size of the fine is mute. Surprisingly, the Information Commissioners Office say that they have yet to be contacted by Vision Direct.
Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, commented: “VisionDirect’s reaction seems to be prompt and transparent. Technical details are missing so far but, under the circumstances, it is indeed uneasy to reliably identify all of the victims. Strange that such a visible hack remained undetected by third parties for five consecutive days however.”
Brooks Wallace, Head of EMEA for Trusted Knight said: “Another large merchant’s website is targeted by hackers for customer payment information, using an attack technique that seems all too familiar in 2018. Capturing customer details as they input them onto the website is also how the British Airways and Ticketmaster hackers operated.
“Payment card numbers, expiry dates and CVV codes are the holy trinity of details needed to make purchases using customer cards. Obtaining the CVV code is especially bad, as this is usually the key in verifying that you are the real card holder.”
According to Adenike Cosgrove, cybersecurity strategist, EMEA, Proofpoint: “Organisations are at their weakest post-breach when it comes to fraud. As we saw with Equifax, hackers almost immediately distributed phishing attempts to try and capitalise on the incident. As well as cancelling credit cards and checking bank statements, users affected by this breach should be extremely vigilant in confirming the source of all emails that are sent to their email inbox and be on the lookout for suspicious phishing attempts, in order to stay safe.”
What does this mean
Another day, another breach, another hacked website. It is a story that seemingly plays out in the inbox of journalists on an almost daily basis. There is a lot here that we don’t yet know but there is also enough for customers to act quickly. How it will affect Vision Direct in the long-term is unknown. If customers do not suffer from this then the impact will be minimal.
At the moment Vision Direct is trying to keep this contained. It is not responding to requests from press. When the news broke we called Vision Direct. The switchboard said all requests have to be emailed to Ashley Mealor, Chief Marketing Officer. However, as of this morning, Mealor has declined to answer any of our questions which included?
- How many customers are affected?
- Was the malware installed on a site run and managed by Vision Direct or by a partner?
- Can you give a definitive list of what data you believe has been stolen by the malware?
- When was the attack detected?
- The ICO says that it has not yet been informed of the attack. As it is now more than 72 hours since the breach, why has there been no contact with the ICO?
- Why did your security software not detect the malware installed on the websites?
- Has this affected any of your trading partners?
Until Vision Direct completes its internal investigation we may hear nothing. What is surprising is that it hasn’t spoken to the ICO or openly offered customers credit card fraud detection. The latter is a staple response of most breached organisations. For now it is a case of watch and wait for more details.