Vision Direct stated on its website:
“The personal information was compromised when it was being entered into the site and includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.”
The breach took place between 00:11 GMT on 3 November and 12:52 GMT on 8 November, said Vision Direct. Customers who logged in during those times to update their accounts, or anyone creating a new account will have been affected.
The hack is expected to have affected 16,300 customers. A spokeswoman for Vision Direct told the BBC that 6,600 customers were believed to have had details including financial data compromised, while a further 9,700 people had personal data but not card details exposed.
The contact lens retailer said a fake Google Analytics script hidden within its websites' code was the apparent cause of the hack and that its UK site was involved as well as local versions for Ireland, the Netherlands, France, Spain, Italy and Belgium.
Vision Direct's spokesperson provided further details on the cause of the breach to the BBC, saying:
"This particular breach is known as Shoplift and was already known to our technology team, who installed a patch provided by our web platform provider to prevent this form of malware. Unfortunately, this current incident appears to be a derivative against which the patch proved ineffective. We are continuing to investigate the breach and have made numerous steps to ensure this does not happen again."
