Add to del.icio.us     Digg this

March 10, 2010

Online catalog company Argos has been severely criticised for an e-mail security breach that exposed thousands of customers’ credit card details and CCV security numbers. The exposure was made public after an Argos customer who checked his order confirmation e-mail instead found that his credit card number and security code was buried in the HTML source code of the message.

This security breach means that any potential hacker who intercepts a similar email confirmation message from Argos would be able to harvest credit card payment details and use them illegally to commit online fraud.

The security issue was discovered by U.K. Argos customer Tony Graham.

Overall, Graham's card details were recently fraudulently misused, but this incident has not been linked to the Argos email fiasco, however.

For now, it's still unclear how long the exposure problem lasted, or how many Argos customers were affected in the first place, but some security experts think the numbers could be several thousands of victims.

Ed Rowley, product manager at content security firm M86 Security, said the whole incident might easily have been prevented. “It is incomprehensible that this credit card data was sent out in an unencrypted format - even if the sensitive information was not visible in the main body it should have been protected from being sent out," Rowley said.

"Overall, a good email content filtering product could have enforced the encryption of the email or at the very least it would have blocked the data from being sent out at all by Argos, using standard or default e-mail security rules.

Argos added that it had already corrected the problem and was working with privacy watchdogs at the Information Commissioner’s Office in dealing with the many problems caused by the security breach.

"Argos takes the security of its customers’ data extremely seriously, is fully aware of the requirements of the Data Protection Act and has taken remedial action in relation to this matter. We are in direct contact with the Information Commissioner’s Office. We have made them fully aware of our approach to customer communications, and will continue to work closely with them to ensure we are taking all appropriate measures," an Argos spokesperson said yesterday.

"This case highlights the need to filter both inbound and outbound email in order to guard against malware coming in but also to block sensitive information from leaking out. It’s unacceptable today that larger organizations aren't using well established security tools and the proper methods in dealing with this critical type of security breach," he added.

Add to del.icio.us     Digg this

Source: M86 Security & Ass.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.