/security

News and resources on cyber and physical threats to banks and fintechs worldwide.

CVV codes lifted in Vision Direct breach

Vision Direct says that the personal details and payment card numbers, expiry dates and CVV codes of thousands of customers have been stolen by criminal hackers.

  5 3 comments

CVV codes lifted in Vision Direct breach

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

The online eyewear retailer says the theft involves all customers ordering or updating their information on visionDirect.co.uk between3-8 November.

The data was compromised when entering data on the website via a bogus Google analytics script and not from the Vision Direct database.

The personal information exposed includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.

About 6600 customers had their financial details compromised, while a further 9700 had personal date, but not card information, stolen.

"This particular breach is known as Shoplift and was already known to our technology team, who installed a patch provided by our web platform provider to prevent this form of malware," a spokeswoman told the BBC. "Unfortunately, this current incident appears to be a derivative against which the patch proved ineffective. We are continuing to investigate the breach and have made numerous steps to ensure this does not happen again."

Impacted customers are advised to contact their banks and inform them of the breach.

Sponsored [Impact Study] 2024 Fraud Trends in Banking, Insurance, and Beyond

Related Company

Keywords

Comments: (3)

A Finextra member 

And why were they holding this data?

Trevor Jenkins

Trevor Jenkins Director at Maylands Consulting Ltd

Vision Direct say the data was not extracted from the VE database but captured as customers typed the data into the web site.  This could be done by a Javascript keylogger running on the web site activated by a fake Google Analytics script.  

Vision Direct also say that they hold no payment card data, which is held at their payment providers.

Sounds like this is not a PCI-type breach.

A Finextra member 

Many thanks for picking up further data in story. This appears to be the main method being used from what we can know of those cases which are reported.

 

 

 

[On-Demand Webinar] Exploring the ethics of AI in bankingFinextra Promoted[On-Demand Webinar] Exploring the ethics of AI in banking