Why hasn’t Argos told customers of credit-card fiasco?
Argos has failed to inform customers that their credit-card details have been compromised, more than three weeks after PC Pro first exposed the glaring hole in the company’s website security.
On the 4 March, we revealed how Argos had included customers’ names, addresses, credit-card numbers and security codes in unencrypted order confirmations.
It was subsequently revealed that a link to Argos’s security page also contained the credit-card details in a plain text link, potentially leaving the data strewn in web browser history, as well as employers’ and ISPs’ server logs.
Once this email left your server you have absolutely no way of guaranteeing its security – it would have passed through various points on the way to my email in box
The flawed emails were being sent from last April, right through to the beginning of this month when we alerted the store to the issue. At least two people who received the emails have subsequently had their credit-card details stolen, although there’s no evidence to tie the emails to the thefts.
Affected customers have told PC Pro that they’ve received no warning from the company that their credit-card details have been compromised. When we asked Argos today whether it had contacted customers who received the insecure emails, it refused to answer the question.
“We would like to reiterate that Argos takes the security of its customers’ data extremely seriously and has taken appropriate action in relation to this matter,” Argos said in a statement. “Argos is in contact with the Information Commissioner’s Office and has made them aware of its approach to customer communications.”
The Information Commissioner’s Office refused to comment on the advice it has given Argos.
Although Argos seems unwilling to raise the alarm, the company is responding to individual complaints from customers.
When Dennis Publishing’s chief technology officer, Paul Lomax, complained to the store that his credit-card details had been stolen after placing an order, he was told: “We do not believe that your details have been compromised as a result of this issue.”
The response infuriated Lomax. “You have absolutely no basis for your belief that my details have not been compromised as a result of this issue,” he wrote in reply to the email.
“You have sent my full credit-card details, including CVV and address, in plain text over the internet. Once this email left your server you have absolutely no way of guaranteeing its security – it would have passed through various points on the way to my email in box. Plus, since I clicked the ‘online security’ link, you have also put my credit-card details into my ISPs URL logs, their proxies, my browser history, and God knows where else.”
That complaint was met with the same boilerplate reply as his first.