Vision Direct suffers major consumer hack

(Image credit: Image Credit: Blogging Beautifully)

The personal details, including credit card numbers, expiration dates and CVV codes, of thousands of Vision Direct customers have been exposed following a hack against Europe's largest online seller of contact lenses and eye care products.

The online retailer noted that anyone who entered their details into its site between 3 and 8 November could be affected with 16,300 customers identified as being at risk.

Vision Direct revealed that a fake Google Analytics script hidden within its sites' code was the cause of the hack and that its UK site was involved as well as local versions for Ireland, the Netherlands, France, Spain, Italy and Belgium.

A company spokesperson told the BBC that 6,600 customers were believed to have had their financial data compromised while 9,700 people had just their personal data exposed.

Shoplift malware

Vision Direct's spokesperson provided further details on the cause of the breach to the BBC, saying:

"This particular breach is known as Shoplift and was already known to our technology team, who installed a patch provided by our web platform provider to prevent this form of malware. Unfortunately, this current incident appears to be a derivative against which the patch proved ineffective. We are continuing to investigate the breach and have made numerous steps to ensure this does not happen again."

After news of the attack spread, Vision Direct apologised to those who were affected by the hack in a statement on its site in which it urged anyone who updated their details between 3 and 8 November to contact their banks and or credit card providers, saying:

"The personal information was compromised when it was being entered into the site and includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV. We understand that this incident will cause concern and inconvenience to our customers. We are contacting all affected customers to apologise."

The company also noted that those who used PayPal during the period might have had their personal details exposed but their payment details should be safe.

Via the BBC

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.