Cyber Incident Victim: Vision Direct

Vision Direct, a European online contact lens supplier, experienced a data breach compromising customer information between 12:11 AM GMT on November 3, 2018, and 12:52 PM GMT on November 8, 2018. The incident affected logged-in users who placed orders or updated their personal details on the company’s visiondirect.co.uk website during this five-day window. Attackers accessed full credit card details, including card numbers, expiration dates, and CVV security codes, along with customers’ full names, billing addresses, email addresses, account passwords, and telephone numbers. The breach exposed payment card data in real time as customers entered it during transactions, though Vision Direct clarified that stored payment information remained unaffected because it resided with third-party payment providers. The company did not disclose the exact number of impacted customers but confirmed the theft involved active shoppers during the specified timeframe.

Vision Direct publicly disclosed the breach on November 18, 2018, through a website announcement and direct email notifications to affected customers. The company advised potentially compromised individuals to contact their banks or credit card providers for guidance on securing their accounts. No technical details about the attack vector or intrusion method were provided in the disclosure. The incident exposed customers to heightened risks of financial fraud and identity theft due to the theft of sensitive personal and payment information. Vision Direct’s response focused on customer notification and directing victims to financial institutions for mitigation, without describing internal forensic findings or security improvements implemented post-breach. The company’s statement emphasized that stored payment card data was not compromised, limiting the breach’s scope to information processed during the active attack window.