CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 6th, 2010

Argos Expose Unencrypted Credit Card Data In Email Receipts

Catalogue firm Argos has been criticised for an email security breach that exposed customers’ credit card details and CCV security numbers. The breach was discovered by UK Argos customer Tony Graham and first reported by PC Pro. Graham’s card details were recently fraudulently misused, but this incident has not been linked to the Argos email slip-up.

The exposure came to light after an Argos customer who checked his order confirmation email found that his credit card number and security code was buried in the HTML source of the message. The slip-up meant that any miscreants who intercepted email confirmation messages from Argos would be able to harvest plastic card payment details – if they spotted where the numbers were stashed.

It’s unclear how long the exposure problem lasted, or how many Argos customers were affected.

In a statement, Argos said it had already corrected the fault and was working with privacy watchdogs at the Information Commissioner’s Office in dealing with the fallout from the breach.

Argos takes the security of its customers’ data extremely seriously, is fully aware of the requirements of the Data Protection Act and has taken remedial action in relation to this matter.

We are in contact with the Information Commissioner’s Office. We have made them aware of our approach to customer communications and will continue to work closely with them to ensure we are taking all appropriate actions.

Ed Rowley, product manager EMEA at content security firm M86 Security, said the whole incident might easily have been prevented. “It is incomprehensible that this credit card data was sent out in an unencrypted format – even if the sensitive information was not visible in the main body it should have been protected from being sent out,” he said.

“A good email content filtering product could have enforced encryption or blocked this data from being sent out at all by Argos, using standard or default email security rules.

“This case highlights the need to filter both inbound and outbound email in order to guard against malware coming in but also to block sensitive information from leaking out. It’s astonishing that larger companies are not using these well established security tools and procedures.”

Credit: The Register

Share this item with others:

More on CyberInsecure:
  • Malware Found In Heartland Bank Card Payment System
  • Linux Firewall For Windows On A PCMCIA Laptop Card
  • Radisson Hotels Breached, Sensitive Customer Data Exposed
  • Sony PlayStation Network Breached, 77 Million Users Private Data Stolen
  • Stolen Credit Cards For Sale

    • Posted in Breaches And Incidents, Cryptography, Privacy | Print This Post Print This Post

    This entry was posted on Saturday, March 6th, 2010 at 4:57 am and is filed under Breaches And Incidents, Cryptography, Privacy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Argos Expose Unencrypted Credit Card Data In Email Receipts

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »