Renowned European contact less merchant Vision Direct has been hit by a data security breach incident causing loss of personal and financial data of their customer during the first week of November. In a security breach notice posted on VisionDirect.co.uk the company confirmed that in a data theft incident between Nov 3 – Nov 8 all those customers who entered or altered their personal or financial information on VisionDirect.co.uk website, their information has been disclosed to a intruder. “Between 12.11am GMT 3rd November 2018 and 12.52pm GMT 8th November, the personal and financial details of some of our customers ordering or updating their information on visionDirect.co.uk was compromised. This data was compromised when entering data on the website and not from the Vision Direct database. The breach has been resolved and our website is working normally.”, VisionDirect said.
Giving out details on the information stolen VisionDirect wrote “The personal information was compromised when it was being entered into the site and includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.” They did not provided any number of customer impacted by the breach incident, however confirmed that all those customers who logged in to their account within the specified time period and made any change to their account has been impacted. This also includes those customer who made any transaction on VisionDirect.co.uk website or mobile app within Nov 3 and Nov 8. The breach not only VisionDirect UK website but also other websites operating allover the Europe such as visiondirect.be, visiondirect.es visiondirect.fr visiondirect.ie visiondirect.it and visiondirect.nl .
That’s exactly what it was. The data was stolen via a fake Google Analytics script: https://g-analytics[.]com/libs/1.0.16/analytics.js – you can view a copy of the JS via the @urlscanio archive of https://t.co/TV22dxvCcK https://t.co/SFi5Wp4gm3 pic.twitter.com/rY13cMR2TL
— Bad Packets Report (@bad_packets) November 18, 2018
When a visitor goes to that website, the Magecart group’s malware will then collect personal details entered on the site. While the script looked like that of Google Analytics, the script (google-analytic[.]com) is not owned by Google
In an earlier incident this year Magecart group has been accused for a massive breach of Ticketmaster causing loss of hundreds of thousands of customer information.
Since every website contains some vulnerabilities which can be exploited at certain point of time by an individual or group with or above certain intelligence level, it is better to be cautious about e-commerce application security before it is too late. If you own an e-commerce website or mobile application and collecting or storing sensitive customer information you might choose to talk with one of our e-commerce appsec expert to learn more on our managed application security solution.