Opsecure

Operational Security

Thursday, Sep 09th

Last update:09:10:35 PM GMT

Security Headlines:
You are here:

Argos Breaches PCI - Credit card details in email receipts

Saturday, 06 March 2010 09:51 Opsecure
E-mail PDF

Catalogue firm Argos has been criticised for an email security breach that exposed customers’ credit card details and CVV security numbers.

The exposure came to light after an Argos customer who checked his order confirmation email found that his credit card number and security code was buried in the HTML source of the message. The slip-up meant that any miscreants who intercepted email confirmation messages from Argos would be able to harvest plastic card payment details - if they spotted where the numbers were stashed.

The breach was discovered by UK Argos customer Tony Graham and first reported by PC Pro. Graham's card details were recently fraudulently misused, but this incident has not been linked to the Argos email slip-up.

It's unclear how long the exposure problem lasted, or how many Argos customers were affected.

In a statement, Argos said it had already corrected the fault and was working with privacy watchdogs at the Information Commissioner’s Office in dealing with the fallout from the breach.

Argos takes the security of its customers’ data extremely seriously, is fully aware of the requirements of the Data Protection Act and has taken remedial action in relation to this matter.

We are in contact with the Information Commissioner’s Office. We have made them aware of our approach to customer communications and will continue to work closely with them to ensure we are taking all appropriate actions.

Ed Rowley, product manager EMEA at content security firm M86 Security, said the whole incident might easily have been prevented. “It is incomprehensible that this credit card data was sent out in an unencrypted format - even if the sensitive information was not visible in the main body it should have been protected from being sent out," he said.

"A good email content filtering product could have enforced encryption or blocked this data from being sent out at all by Argos, using standard or default email security rules.

"This case highlights the need to filter both inbound and outbound email in order to guard against malware coming in but also to block sensitive information from leaking out. It’s astonishing that larger companies are not using these well established security tools and procedures."

 

 

Original Article by By John Leyden
Posted in ID, 5th March 2010 11:49 GMT

Argos PCI Breach

Tags:

Related Articles

< Prev   Next >
Banner

From April 2010, the Information Commissioner expects to impose 25 Monetary Penalty Notices, each of up to £500k, per annum. Organisations that fail to take reasonable measures that they ought to have taken to comply with the DPA will be in the firing line.

 

There is a narrow window to avoid being on that list: as a minimum, organisations should carry out a DPA compliance audit, to establish what still needs to be put in place and to establish lines of responsibility, and should carry out a risk assessment around their personal data.

 

This DPA Compliance Kit contains all the tools for doing it yourself.

How will this compliance kit help?

So you know that you have to comply with the Data Protection Act, and you know that if you are found to be in breach of the DPA after April 2010 the ICO can levy tough penalties, far tougher than any seen before.

 

The first thing you need to do is identify your current level of conformance. The DPA Compliance Assessment Tool will help you do this: it provides recommendations and offers guidance to help you close any gaps that are identified.

 

Once you have identified exactly what you need to do in order to become fully compliant with the DPA, you will find the DPA Compliance Documentation Toolkit invaluable. It includes all the documentation templates, which are fully customisable, that are essential for any UK data controller (and UK organisation that is responsible for personal information) seeking compliance with the UK Data Protection Act 1998.

 

The Assessment Tool and the Documentation Toolkit will enable your organisation to become fully compliant with the DPA. However, to make the process easier and to provide supporting guidance we have included two essential pocket guides:

  1. Data protection Compliance in the UK, which will help everyone in the organisation responsible for data protection get up to speed - and ensure that no one has grounds to complain of ignorance of the law!

  2. How to Survive a Data Breach which provides essential support for organisations tackling this mission.

 

List Price:

£354.00 GBP
Our Price:

£156.00 GBP Buy now

($232.81 USD)

(€171.57 EUR)

You Save:
£198.00 GBP
Data Protection Act Toolkit
Tags:

Related Articles
 

Official 2010 CISSP CBK

CISSP Official Guide

 

Tags:

Related Articles
 

Download ISO Standards

Download ISO Standards

Tags:

Related Articles
 

ISO 27001 Toolkit

ISO 27001 Toolkit - Standalone Policy Set

Tags:

Related Articles
 

Data Breach Map

Opsecure Data Protection Breach Map

Tags:

Related Articles