// Home / News / Security

Argos exposes customers' credit-card numbers in emails

By Barry Collins

Posted on 3 Mar 2010 at 07:31

High street retailer Argos has compromised its customers' security by sending their credit-card details - including the vital security code - in unencrypted emails.

UPDATE: Argos credit-card scandal worsens

The company has been including the customer's full name, address, credit-card number and three-digit CCV security code in order confirmation emails, which are sent once a customer has placed an order on the Argos website. Although the credit-card details don't appear in the text of the email itself, they are contained - in plain text - in the HTML code of the order confirmation.

Anyone intercepting or gaining access to the order confirmations would have all the details necessary to steal someone's credit card

It means that anyone intercepting or gaining access to the order confirmations would have all the details necessary to steal someone's credit card.

Argos has refused to confirm how many customers have been affected.

The flaw was spotted by PC Pro reader Tony Graham from Wiltshire. He was trying to hunt down another order confirmation in his inbox by searching for the last four digits of his credit-card number. He was surprised to find the Argos order confirmation in the search results. When he couldn't find his credit-card number in the email message itself, he clicked the View Source option and was astonished to discover his card number and security code were embedded in the HTML.

Mr Graham initially reported the issue to Argos but received no reply, so he contacted the company's secure payment provider VeriSign, who confirmed the issue. Argos subsequently claimed to have fixed the issue in correspondence with Mr Graham.

Mr Graham's credit-card details were subsequently stolen, although there's no evidence to link the theft to the Argos email.

Argos apology

PC Pro asked Argos to confirm how many order confirmations had been sent out with the unencrypted credit-card details and if it had contacted affected customers, but it declined to answer the questions.

Instead, the company issued the following statement: "As far as we are aware, Mr Graham is the only customer to have contacted us regarding this potential issue, which has now been fully investigated and resolved to prevent it from happening in the future."

"We have written to Mr Graham apologising for the incident and reassured him that we acted swiftly to amend our procedures and we have no reason to believe that Mr Graham’s details have been compromised as a result of this incident."

"We have an obligation to protect our customers’ data and to ensure its security, so we cannot reveal information relating to our data processing arrangements nor regarding our dealings with other customers."

The secure shopping advice on Argos's website states that "shopping on Argos.co.uk is as secure as shopping in any store. Your credit card details will be encrypted to help keep them secure."

User comments

What was the timeframe between this email being sent and his credit card account being compromised?

By a_byrne22 on 3 Mar 2010

Yep it's true alright

I have just checked the email confirmation I received from argos last year... it has all the details in there! Unbelievable! I am glad that my card has now expired otherwise I would be really worried...

By andieevans on 3 Mar 2010

It's pretty unforgivable but sending private details (including CC numbers and account passwords) by standard e-mail is more widespread than most people realize.

As it clearly breaches the Data Protection Act, what action will be taken against Argos? Probably nothing, which means that other companies will continue to be quite complacent in their procedures.

By Bureaunet on 3 Mar 2010

One reason

"we have no reason to believe that Mr Graham’s details have been compromised as a result of this incident."

Other than his card details have been stolen since - but of course, that is merely coincidence - Right?

By greemble on 3 Mar 2010

Personally affected

I checked my email archive and saw that an order I made with Argos last September included all my credit card details too.

You don't even need to view the source...

Ironically the details are part of a hyperlink in the footer to their 'online security' page. For some reason they're passing your whole order record (CC#, address, etc) through in the URL as a GET request....

And maybe it's another co-incidence, but the card I used for that order was defrauded a few months later - purchases online to Hutchinson Telecom (3), House of Fraser, a jewellery website and US$ cash...

By PaulLomax on 3 Mar 2010

three-digit CCV code

I was under the impression that the PCI standard doesn't allow the three-digit CCV code to be stored. The fact that they're passing it back in an email and using it in "GET" request as mentioned above implies that they are indeed storing it. So maybe they're still not compliant. I think it needs few people who've had these emails to complain to the Information Commissioner.

By nickramsden on 4 Mar 2010

Not just Argos - Virgin Media too.

Virgin Media did the same thing to me last month - twice - only more blatent, as it was in the main text of the email.

I complained, only to be told that it's perfectly safe & company policy!

This from an ISP - pathetic!

By Mr_John_T on 4 Mar 2010

PCi not legal

Rather stupidly the PCI framework are only guidelines, and in no way represent a legally binding standard.

In my experience online legality is kept fairly loose to make it easier for some of the big names to pass the buck, usually onto smaller organisations.

It would be a much safer situation if they were set as legal requirements, and additionally all servers should be made to carry a basic SSL certificate.

By Gindylow on 4 Mar 2010

@Mr_John_T - Did Virgin include the CV2 number as well? That's the key... Card number alone is of limited use.

@Gingylow - Data protection basically says you have to take 'reasonable steps' for security. Doesn't define reasonable - up to a court or the commissioner to decide...

By PaulLomax on 4 Mar 2010

Fine for me - Argos should know better

I checked my email from November last year and there wasn't card info in the source code or contained in the email. I paid by CC & it was over 100 pounds but still doesn't help if this information is intercepted.

As they are a popular shopping site, Argos' attitude is worryingly blaise - pay instore if your concerned.

By champmanfan2 on 4 Mar 2010

Re: Virgin Media

Hi Paul,

I just checked the email & I had it slightly wrong in my first post: It wasn't my bank card number number - it was my bank account number, together with my sort code and full name.

I still think it's a shocking state of affairs, as I reckon they could be pretty 'useful' in the right hands, (working out my address from my phone number is not exactly a chore).

I just think an ISP really should know better...

By Mr_John_T on 4 Mar 2010

Another victim

Like some others here, I've checked my previous Argos email receipts and found one which suffers from this problem. Perhaps not coincidentally, the affected card was also used fraudulently around that time and has since been cancelled.

Anyway, I've blogged about this if anyone wants to read more: http://chris.gg/p637

By ChrisGG on 5 Mar 2010

Leave a comment

You need to Login or Register to comment.

Most Commented News Stories

Latest Blog Posts

Latest Reviews

Latest Real World Computing

Sponsored Links