Optician Vision Direct appears to be the latest business to fall prey to a Magecart-style attack.
Customers over a six day period from 3 November to 8 November have had credit card (including CVV codes) and personal details stolen.
Vision Direct, owned by France’s Essilor, is Europe largest online retailer of contact lenses and eye care products.
The company said: “The personal and financial details of customers logging in or updating their accounts between 12.11am GMT 3rd November 2018 and 12.52pm GMT 8th November 2018 was compromised. Only customers who logged in between these dates are at risk.
“The personal information was compromised when it was being entered into the site and includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.”
The company added: “Any existing personal data that was previously stored in our database was not affected by the breach. All payment card data is stored with our payment providers and so stored payment card information was not affected by the breach.
Jake Moore, from cybersecurity company ESET UK said in an emailed statement: “We desperately need to build a stronger and more robust financial transfer system that encrypts and verifies more often. I find it astonishing that we have spent so much money on multi-factor authentication when it comes to logging into accounts and sending money via bank accounts, yet if I view someone’s card number at the till and they flip it over to view the “security” CVV number on the back, I could then go on a shopping spree undetected.”
“We are all starting to use our phones to verify our identity so why can’t we introduce multi-factor authentication as standard when it comes to online payments attached to our cards? It would instantly reduce the demand for stolen credit card data as it would simply not work without the verification form the card owner.”