Why hasn't Argos told customers of credit-card fiasco?
By Barry Collins
Posted on 25 Mar 2010 at 14:26
Argos has failed to inform customers that their credit-card details have been compromised, more than three weeks after PC Pro first exposed the glaring hole in the company's website security.
On the 4 March, we revealed how Argos had included customers' names, addresses, credit-card numbers and security codes in unencrypted order confirmations.
It was subsequently revealed that a link to Argos's security page also contained the credit-card details in a plain text link, potentially leaving the data strewn in web browser history, as well as employers' and ISPs' server logs.
Once this email left your server you have absolutely no way of guaranteeing its security - it would have passed through various points on the way to my email in box
The flawed emails were being sent from last April, right through to the beginning of this month when we alerted the store to the issue. At least two people who received the emails have subsequently had their credit-card details stolen, although there's no evidence to tie the emails to the thefts.
Affected customers have told PC Pro that they've received no warning from the company that their credit-card details have been compromised. When we asked Argos today whether it had contacted customers who received the insecure emails, it refused to answer the question.
"We would like to reiterate that Argos takes the security of its customers' data extremely seriously and has taken appropriate action in relation to this matter," Argos said in a statement. "Argos is in contact with the Information Commissioner's Office and has made them aware of its approach to customer communications."
The Information Commissioner's Office refused to comment on the advice it has given Argos.
Stolen details
Although Argos seems unwilling to raise the alarm, the company is responding to individual complaints from customers.
When Dennis Publishing's chief technology officer, Paul Lomax, complained to the store that his credit-card details had been stolen after placing an order, he was told: "We do not believe that your details have been compromised as a result of this issue."
The response infuriated Lomax. "You have absolutely no basis for your belief that my details have not been compromised as a result of this issue," he wrote in reply to the email.
"You have sent my full credit-card details, including CVV and address, in plain text over the internet. Once this email left your server you have absolutely no way of guaranteeing its security - it would have passed through various points on the way to my email in box. Plus, since I clicked the 'online security' link, you have also put my credit-card details into my ISPs URL logs, their proxies, my browser history, and God knows where else."
That complaint was met with the same boilerplate reply as his first.
From around the web
Argos may like to review https://www.pcisecuritystandards.org/security_stan
dards/pci_dss.shtml to learn what the rest of the industry is having to do to keep cards secure.
By banxia on 25 Mar 2010 
What a nasty company
I'm not sure what's worse - the fact that Argos made a system so unsecure it took proactive effort to make it worse than if they had not done anything at all; or their obvious utter contempt for their customers.
Either way I don't think I will shop there again.
By Nodule on 25 Mar 2010
I'll fix it for you all
If you just leave your card number, expiry and CVV code in a comment I'll be sure to delete it all from the Internet for you.
By notken_uk on 25 Mar 2010
Public protest anyone?
Anyone fancy standing outside an Argos shop, holding up banners and placards telling customers and passerbys that their details are not secure? ;-)
By mviracca on 26 Mar 2010
where are my details
Why did you delete my credit card details?
Argos would never do this to me!!!!
By Steve_Adey on 26 Mar 2010
Calm down....
Steve,
I deleted your message because some readers feared the credit-card details were genuine and didn't want you being robbed. We've got a loving, caring bunch of readers.
Best wishes
Barry Collins
Online Editor
By Barry_Collins on 26 Mar 2010
lol
That's so good of you lot. I thought notken was the only nice one on here. Now if you lot could only refund the £50,000 i've been scammed on that card :(
By Steve_Adey on 26 Mar 2010
No great surprise
Having gone through a redundancy with a corporate the verbiage looks identical... I.E We don't know, we don't care, we issue faceless statements that look as though we care, get lost....
By Dr_Zeus on 27 Mar 2010
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
