Credit card details hacked in Vision Direct data breach
Cybercriminals have compromised the contact information and financial details of Vision Direct customers in a recent data hack.
Both personal and financial information has been put at risk, including full name, address, phone number, email address, and password details, as well as sensitive credit card numbers, expiry dates and CVV security codes. This information could be used to carry out financial fraud and data theft, so customers are understandably worried.
Earlier this week, the UK retailer informed its customers that their data was stolen in a five-day hack between 3rd and 8th of November. It is understood that a bogus Google Analytics script added to Vision Direct's website let hackers breach the company's security defences.
Should you be worried?
The breach affects customers who logged into their Vision Direct account or updated their personal details during the period in which the hack took place. At present, 16,300 customers are thought to be at risk.
In a letter to its customers, Vision Direct has admitted that this "information could be used to conduct fraudulent transactions".
It continues: "Vision Direct has taken steps to prevent any further data theft, the website is working normally and we are working with the authorities to investigate how this theft occurred."
Vision Direct will contact any customers who it believes have been affected by the data breach. The company has also asked all users to review their bank statements and change their passwords on the site as soon as possible.
Is Vision Direct responsible for the data breach?
Even where cybercriminals target a business, in the eyes of the law it is still responsible for the data it holds. And, if found to be (even partially) responsible for a data breach, under the new General Data Protection Regulation (GDPR), it could be liable for millions of pounds in fines and compensation.
In this case, questions have been raised over whether or not Vision Direct had been storing CVV codes as it is not permitted to keep verification codes after payments are authorised. If this is found to be the case, the regulator is likely to come down hard on the business.
If you have suffered damage or distress caused by an organisation breaching its data protection responsibilities, you also have a right to claim compensation.
At Hayes Connor Solicitors, we have considerable experience helping individuals whose data has been breached and would also recommend some additional steps to keep users safe.
This includes looking out for fraudsters who attempt to gather more personal information (phishing), informing the Information Commissioner's Office (ICO) about your concerns and reporting any suspected phishing attempts to the police and relevant authorities.
You can also check websites such as Haveibeenpwned.com to see if your details have been compromised in a data breach.