Vision Direct reveals breach that skimmed customer credit cards
![](data:image/svg+xml;charset=utf-8,<svg height="576" width="1024" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
Image Credits: Rafe Swan / Getty Images
European online contact lens supplier Vision Direct has revealed a data breach that compromised full credit card details for a number of its customers, as well as personal information.
Compromised data includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.
It’s not yet clear how many of Vision Direct’s customers are affected — we’ve reached out to the company with questions.
Detailing the data theft in a post on its website, Vision Direct writes that customer data was compromised between 12.11am GMT November 3, 2018 and 12.52pm GMT November 8 — with any logged-in users who were ordering or updating their information on visiondirect.co.uk in that time window potentially being affected.
It says it has emailed customers to notify them of the data theft.
“This data was compromised when entering data on the website and not from the Vision Direct database,” the company writes on its website. “The breach has been resolved and our website is working normally.”
“We advise any customers who believe they may have been affected to contact their banks or credit card providers and follow their advice,” it adds.
(As an aside, fintech startup Revolut didn’t hang around waiting for concerned customers to call — blogging today that, on hearing the breach news, it quickly identified 80 of its customers who had been affected. “As a precaution, we immediately contacted all affected customers letting them know that we had cancelled their existing cards and would be sending them a replacement one for free,” it adds.)
Vision Direct says affected payment methods include Visa, Mastercard and Maestro — but not PayPal (although it says PayPal users’ personal data may still have been swiped).
It claims existing personal data previously stored in its database was not affected by the breach — writing that the theft “only impacted new information added or updated on the VisionDirect.co.uk website” (and only during the aforementioned time window).
“All payment card data is stored with our payment providers and so stored payment card information was not affected by the breach,” it adds.
Data appears to have been compromised via a JavaScript keylogger running on the Vision Direct website, according to security researcher chatter on Twitter.
After the breach was made public, security researcher Troy Mursch quickly found a fake Google Analytics script had been running on Vision Direct’s U.K. website:
The malicious script also looks to have affected additional Vision Direct domains in Europe; and users of additional e-commerce sites (at least one of which they found still running the fake script)…
Another security researcher, Willem de Groot, picked up on the scam in September, writing in a blog post then that: “The domain g-analytics.com is not owned by Google, as opposed to its legitimate google-analytics.com counterpart. The fraud is hosted on a dodgy Russian/Romanian/Dutch/Dubai network called HostSailor.”
He also found the malware had “spread to various websites,” saying its creator had crafted “14 different copies over the course of 3 weeks,” and tailored some versions to include a fake payment popup form “that was built for a specific website.”
“These instances are still harvesting passwords and identities as of today,” de Groot warned about two months before Vision Direct got breached.
Update: Vision Direct has now confirmed that the malware was implemented across all its websites, including: U.K., Ireland, Netherlands, France, Spain, Italy and Belgium.
“From our investigation, we identified that a total number of 16,300 customers were at risk of their data being compromised. Of that, 6,600 may have had financial data compromised and 9,700 personal and other data. We are ensuring that we are communicating the appropriate actions to customers affected,” a spokeswoman also told us.
“The cause of the breach was a sophisticated malware infection, posing as Google Analytics code. We have since notified Google, but the link is still live and redirects to the Google platform,” she added.
“This particular breach is known as ‘Shoplift’ and was already known to our technology team, who installed a patch provided by our web platform provider to prevent this form of malware. Unfortunately, this current incident appears to be a derivative against which the patch proved ineffective. We are continuing to investigate the breach and have made numerous steps to ensure this does not happen again.”
![](data:image/svg+xml;charset=utf-8,<svg height="105" width="187" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
![](data:image/svg+xml;charset=utf-8,<svg height="112" width="187" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
![](data:image/svg+xml;charset=utf-8,<svg height="125" width="187" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
