Vision Direct, an online contact lens supplier, promised that it will refund its customers who were left out of pocket when their credit card information were stolen from its website in a hack that occurred earlier this month.
In an interview, the company said that more than 16,000 people were at risk from a hack on its website at the start of the month.
The customers who logged in to the website, or created a new account, may have had their personal and bank information stolen.
The stolen details include the customers’ names, credit card numbers, three-digit CVV codes from the back of the card, expiry dates and — everything that is needed to shop online.
The company said that the hack affected those who logged on the period between the 3rd November and the 8th of November this year.
Vision Direct said that the customers who only browsed the website without logging in, and those who used Paypal have not had their payment information stolen.
In a statement, the company said: “We understand that this incident will cause concern and inconvenience to our customers. We are contacting all affected customers to apologise and continue to inform you of any updates in the next few days.”
The European managing director at Janrain, Mayur Upadhyaya, stated: “Vision Direct have provided solid remediation advice in their blog, but we still have a challenge today of consumers reusing passwords.”
Upadhyaya manages online identities. He added: “As more and more cyber crime is organised, password reuse puts you at risk. Each breached password will be found again and it builds up a very verbose cracking dictionary that can be used on other sites.”
He continued: “So any Vision Direct consumer that has reused their password, should reset on other sites.”
A company spokesperson stated: “We identified that approximately 16,300 customers were at risk of their data being compromised due to the recent data breach on our websites. Of that, 6,600 may have had financial data compromised and 9,700 personal and other data.”
He added: “We are currently working with the ICO and other authorities to investigate the data theft and to ensure that we are communicating the appropriate actions to all customers affected.”