Argos exposes customers' credit-card numbers in emails

3 Mar 2010
Credit card

PC Pro exclusive: Argos compromises customer security by sending credit-card numbers in insecure emails

High street retailer Argos has compromised its customers' security by sending their credit-card details - including the vital security code - in unencrypted emails.

UPDATE: Argos credit-card scandal worsens

The company has been including the customer's full name, address, credit-card number and three-digit CCV security code in order confirmation emails, which are sent once a customer has placed an order on the Argos website. Although the credit-card details don't appear in the text of the email itself, they are contained - in plain text - in the HTML code of the order confirmation.

Anyone intercepting or gaining access to the order confirmations would have all the details necessary to steal someone's credit card

It means that anyone intercepting or gaining access to the order confirmations would have all the details necessary to steal someone's credit card.

Argos has refused to confirm how many customers have been affected.

The flaw was spotted by PC Pro reader Tony Graham from Wiltshire. He was trying to hunt down another order confirmation in his inbox by searching for the last four digits of his credit-card number. He was surprised to find the Argos order confirmation in the search results. When he couldn't find his credit-card number in the email message itself, he clicked the View Source option and was astonished to discover his card number and security code were embedded in the HTML.

Mr Graham initially reported the issue to Argos but received no reply, so he contacted the company's secure payment provider VeriSign, who confirmed the issue. Argos subsequently claimed to have fixed the issue in correspondence with Mr Graham.

Mr Graham's credit-card details were subsequently stolen, although there's no evidence to link the theft to the Argos email.

Argos apology

PC Pro asked Argos to confirm how many order confirmations had been sent out with the unencrypted credit-card details and if it had contacted affected customers, but it declined to answer the questions.

Instead, the company issued the following statement: "As far as we are aware, Mr Graham is the only customer to have contacted us regarding this potential issue, which has now been fully investigated and resolved to prevent it from happening in the future."

"We have written to Mr Graham apologising for the incident and reassured him that we acted swiftly to amend our procedures and we have no reason to believe that Mr Graham’s details have been compromised as a result of this incident."

"We have an obligation to protect our customers’ data and to ensure its security, so we cannot reveal information relating to our data processing arrangements nor regarding our dealings with other customers."

The secure shopping advice on Argos's website states that "shopping on Argos.co.uk is as secure as shopping in any store. Your credit card details will be encrypted to help keep them secure."

Read more

News