Popular European contact lens supplier Vision Direct recently announced that it had suffered a malware attack across all its websites in the UK, Ireland, Netherlands, France, Spain, Italy and Belgium that resulted in the compromise of personal data of 9,700 customers and financial data of around 6,600 customers.
Personal and financial data of Vision Direct customers that were compromised as a result of the malware injection included names, addresses, telephone numbers, email addresses, full credit card numbers, CVV numbers, and expiry dates. Overall, a total of 16,300 Vision Direct customers were affected as a result of the cyber-attack.
Hackers skimmed customer data for five straight days
"From our investigation, we identified that a total number of 16,300 customers were at risk of their data being compromised. Of that, 6,600 may have had financial data compromised and 9,700 personal and other data. We are ensuring that we are communicating the appropriate actions to customers affected," said a spokeswoman from Vision Direct to Tech Crunch.
"The cause of the breach was a sophisticated malware infection, posing as Google Analytics code. We have since notified Google, but the link is still live and redirects to the Google platform.
"This particular breach is known as ‘Shoplift’ and was already known to our technology team, who installed a patch provided by our web platform provider to prevent this form of malware. Unfortunately, this current incident appears to be a derivative against which the patch proved ineffective. We are continuing to investigate the breach and have made numerous steps to ensure this does not happen again," she added.
According to the contact lens supplier, the said data breach took place "between 12.11am GMT 3rd November 2018 and 12.52pm GMT 8th November" and customers who placed orders or updated information on the firm's various websites between the said dates suffered the breach of their personal or financial information.
The firm clarified that any existing personal data that was previously stored in its database was not affected by the breach and that the affected websites are now up and running. However, customers have been advised to update their passwords and monitor their credit card activity to check if their financial information have been misused.
"The loss of credit card data is a worry for all organisations, not just the targeted company. The data lost has the potential to be lucrative in the hands of cybercriminals, who can use the card number and CVC to accurately mimic the legitimate customer in order to make fraudulent purchases, or facilitate further cybercrime.
"Many organisations are deploying counteractive measures based on passive biometrics and behavioral analytics successfully protecting against most types of post-breach fraud," said Ryan Wilk, VP at NuData Security.
Was Magecart behind the Vision Direct breach?
The manner in which hackers injected malware into Vision Direct's websites and skimmed personal and financial details of thousands of customers is very similar to the operating procedure of Magecart, a sophisticated hacker group believed to be behind the recent data breaches suffered by the likes of British Airways, TickerMasterUK, and Newegg.
"Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.
"Recently, Magecart operatives placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality resulting in a high-profile breach of Ticketmaster customer data. Based on recent evidence, Magecart has now set their sights on British Airways, the largest airline in the UK," noted cyber security firm RiskIQ in a report that confirmed the involvement of Magecart in the said incidents.
"This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer," the firm added.