Vision Direct reveals customer credit card leak, fake Google script may be to blame

Updated: The personal and financial data of customers has been stolen.

Vision Direct has revealed a serious data breach -- one that GDPR regulators are likely to take interest in -- leading to the widespread theft of customer data.

The York, UK-based contact lens supplier said on Sunday that between 12.11am November 3 and 12.52pm GMT on November 8, 2018, the "personal and financial details of some of our customers ordering or updating their information on VisionDirect.co.uk was compromised."

In a statement, the contact lens supplier, which ships its products worldwide, added that the information stolen includes names, billing addresses, email addresses, passwords -- although it is not clear if these were stored in plaintext or hashed -- as well as telephone numbers.

The theft of such a wide range of information which can be used for the purposes of identity theft is a grim prospect in itself; however, payment card information was also stolen including card numbers, expiry dates, and CVV security codes -- which is more than enough to conduct fraudulent purchases.

It is worth noting that the theft only relates to information which was entered into the Vision Direct domain during the incident's timeframe, and so existing personal data which had already been stored by the firm's databases is not believed be affected.

"All payment card data is stored with our payment providers and so stored payment card information was not affected by the breach," Vision Direct says.

So, if you made a purchase or changed your details between November 3 and 8 on VisionDirect.co.uk, you may have had your information stolen. In addition, if you called Vision Direct customer service and an employee made changes on your behalf, you may have been involved in the security breach.

CNET: Black Friday brings out hackers looking to rip you off

Customers making payments via Visa, Mastercard, or Maestro may have been affected. The financial information of PayPal is believed to have escaped the threat actor's clutches -- but not so when it comes to personal information of these customers.

Vision Direct has not revealed any estimates on how many customers are involved.

"We understand that this incident will cause concern and inconvenience to our customers," the company says. "We are contacting all affected customers to apologize and continue to inform you of any updates in the next few days."

Customers will receive a separate email on how to change their account passwords if they are among those affected. Beyond that -- and the assertion that the website will now process orders as normal -- Vision Direct has directed customers to their own banks and financial services to check for fraud and security risks.

See also: AWS rolls out new security feature to prevent accidental S3 data leaks

It did not take long before cybersecurity experts began examining the potential root causes of the widespread theft.

According to security researcher Troy Mursch, a fake Google Analytics script may be to blame. The same script, unfortunately, appears to be hosted on other domains, of which vendors have been notified.

Researcher Willem de Groot first explored the use of this particular malicious script back in September, saying:

"The domain g-analytics.com is not owned by Google, as opposed to its legitimate google-analytics.com counterpart. The fraud is hosted on a dodgy Russian/Romanian/Dutch/Dubai network called HostSailor.

The malware behaves pretty much like the real Google Analytics, and it wouldn't raise any dev eyebrows while monitoring Chrome's waterfall chart."

TechRepublic: How military-style training may enhance your cybersecurity strategy

Due to the timing of the breach and the financial information involved, it is likely that regulators overseeing the new EU's General Data Protection Regulation (GDPR), which came into force this year on May 25, will take an interest.

If the UK's Information Commissioner's Office (ICO) finds that a company has failed to take adequate and reasonable steps to protect customer data, this can result in fines of up to €20 million or four percent of annual global turnover, whichever is higher.

Update 17.45 GMT: A Vision Direct spokesperson told ZDNet:

"Passwords are encrypted and stored as hashed on our website. However, if a customer entered their password between the impacted times, then this information is at risk.

From our investigation, we identified that a total number of 16,300 customers were at risk of their data being compromised. Of that, approximately 6,600 may have had financial data compromised and 9,700 personal and other data.

We are continuing to investigate the breach alongside the ICO and other authorities and have made numerous steps to ensure this does not happen again."

Previous and related coverage