An online contact lens supplier will refund customers left out of pocket when their credit card details were stolen from its site earlier this month.
Vision Direct told City A.M. that over 16,000 people were at risk from a hack on its website at the beginning of November.
Customers who logged in to the website, or created a new account, may have had their personal and bank details stolen.
The stolen details include names, credit card numbers, expiry dates and three-digit CVV codes from the back of the card — everything needed to shop online.
The hack affected those who logged on between 3 November and 8 November this year, the company said.
Customers who just browsed the website without logging in, and those who used Paypal have not had their payment details stolen, Vision Direct said.
“We understand that this incident will cause concern and inconvenience to our customers. We are contacting all affected customers to apologise and continue to inform you of any updates in the next few days,” the company said in a statement.
Mayur Upadhyaya, European managing director at Janrain which manages online identities, said: “Vision Direct have provided solid remediation advice in their blog, but we still have a challenge today of consumers reusing passwords.
“As more and more cyber crime is organised, password reuse puts you at risk. Each breached password will be found again and it builds up a very verbose cracking dictionary that can be used on other sites.
“So any Vision Direct consumer that has reused their password, should reset on other sites.”
A spokesperson for the company said: “We identified that approximately 16,300 customers were at risk of their data being compromised due to the recent data breach on our websites. Of that, 6,600 may have had financial data compromised and 9,700 personal and other data.
“We are currently working with the ICO and other authorities to investigate the data theft and to ensure that we are communicating the appropriate actions to all customers affected.”