Australia's Leading Ophthalmic Magazine Since 1975

     Free Sign Up     

Australia's Leading Ophthalmic Magazine Since 1975

     Free Sign Up     

Customer data hacked at online eyecare retailers

08/01/2019By Myles Hume
Thousands of Vision Direct UK customers have had their full credit card information and personal details stolen, following a massive security breach at the online contact lens company.


Of the 16,300 customers affected, around 6,600 had financial data exposed – including expiry dates and CVV numbers – while a further 9,700 had personal information leaked.

Vision Direct UK, which describes itself as Europe’s largest online seller of contact lenses, accessories and eyecare products, said the breach happened between November 3 and 8. It affected the company’s UK website, as well as local versions for Ireland, the Netherlands, France, Spain, Italy and Belgium.

A company spokesperson told the BBC the hackers placed a fake Google Analytics script within its websites’ code. The personal information was compromised as it was entered into the site and included full names, billing addresses, email addresses, passwords, telephone numbers and full payment card information.

Historical customer data entered into the company’s system remained secure.

“We understand that this incident will cause concern and inconvenience to our customers. We are contacting all affected customers to apologise,” a Vision Direct spokesperson said.

“We will compensate any customers who have suffered financial loss as a result of this breach.”

Vision Direct is conducting an internal investigation, and has contacted the UK’s Information Commissioner’s Office (ICO) and Google to inform them about the breach. However, an ICO spokesperson said it wasn’t handling the incident due to the company now being owned by France-based Essilor International.

According to the website Hackread, the hackers used a “sophisticated” method in placing malicious Javascript code to steal financial data.

“During the attack, hackers used a domain g-analytics[.]com that resembled the official website for Google Analytics and this is probably why the company seemed to be unaware of the presence of malicious script on its domains,” the website stated.

Meanwhile major US online eyewear retailer Warby Parker has had to reset the passwords on nearly 200,000 of its customer accounts over fears they could have been compromised. According to the company, usernames and passwords were obtained from data breaches on other websites and then used to access Warby Parker customer accounts.

Warby Parker co-founder and co-chief executive officer Mr Dave Gilboa apologised for the incident, and said the company is actively cooperating with law enforcement.

large leaderboard

Editor's Suggestion
Hot Stories



Subscribe for Insight in your Inbox

Get Insight with the latest in industry news, trends, new products, services and equipment!