Large UK Retailer Leaks Payment Information via Email

Argos, one of the leading general-goods retailers in the UK, has been sending out order confirmation emails with sensitive credit card data in the source code for months. Sensitive details were also included in a URL sent to costumers.

The security breach was reported to PC Pro earlier this month by a former Argos customer from Wiltshire named Tony Graham. He accidentally discovered the leak while trying to find an order confirmation email from another company and using the last four digits of his credit card number as search query.

He was surprised to see the Argos email amongst the search results as it didn't appear to list his full or partial card number. However, when checking out the source code, he was astonished to find his complete unencrypted payment details including the CVV2 security number on his credit card.

The company admitted that an order confirmation email sent to Mr. Graham contained all information necessary to perform identity theft, but failed to specify how many other customers received similar messages. "Argos takes the security of its customers’ data extremely seriously, is fully aware of the requirements of the Data Protection Act and has taken remedial action in relation to this matter," the firm stated.

But, as it turns out, sending credit card data embedded in the source code of emails is not the only insecure practice employed by Argos. The same sensitive information was found to be contained in custom URLs sent in similar order confirmation messages dating back to at least September 2009.

Those URLs pointed to the security section on the argos.co.uk website, which ironically informs customers that during online shopping their "details are encrypted for increased security (128 bit)" and that "We use advanced encryption so that your card details cannot be seen." Apparently, the company cares a whole deal about how it receives sensitive information, and less about how it handles it afterwards.

The fact that two Argos customers, who received such compromising messages, had their credit cards misused afterwards may be simply a coincidence. However, the sad reality is that there are a lot of methods cyber-crooks can use to intercept email traffic or access URLs stored in browsing history and firewall logs.