Vision Direct, a contact lens retailer in the UK, has reported that a hack has exposed the financial information of thousands of its customers, including personal data and card details.
The company said that the payment card numbers, expiry dates and CVV codes of customers who logged in or created a new account on the Vision Direct website between November 3rd and November 8th could have been at risk because of an attack on the site; up to 16,300 people.
The company stated:
The personal information was compromised when it was being entered into the site and includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.
The theft of CVV numbers from payment cards means that this data breach is significant; the CVV number is usually requested to ensure that the person payment, usually online, has the card in their physical possession. If a person is able to provide this they will be able to make any number of online transactions.
However, because of the nature of the attack it seems that data already stored in the website’s database was not vulnerable.
The hack was reportedly dealt with, and it’s said that the website is now safe and operating normally again.
A spokeswoman for Vision Direct told the BBC:
This particular breach is known as Shoplift and was already known to our technology team, who installed a patch provided by our web platform provider to prevent this form of malware.
Unfortunately, this current incident appears to be a derivative against which the patch proved ineffective. We are continuing to investigate the breach and have made numerous steps to ensure this does not happen again.
Vision Direct were said to be reporting all affected customers to apologise for the data breach, but any customers concerned that they might have been hacked should call 020 7768 5000 from the UK or 1 800 870 0741 from the US.