Blog article
See all stories »

Argos credit card scandal worsens

PCPro has reported weaknesses with the online security of high street retailer Argos,

Argos has been sending customers unencrypted credit card numbers and security codes within e-mails confirming orders, potentially exposing customers to online fraud.

Then it emerged that those very same confirmation emails contain a web link - ironically intended to direct customers to Argos's security page - which contains the customer's full name, address and credit-card details in the URL itself.

Customers clicking on that web link would therefore leave plain text details of their credit-card numbers in their browser web history, which could be particularly problematic on shared or public PCs such as those internet cafes or public libraries.

This amount of information is being sent unencrypted over email, so anybody monitoring network traffic could see the data. If the email is going to a webmail account, this information will be stored and accessible to people with access to those servers.

Argos has refused to comment on how many customers have been affected or whether it had contacted customers who received the flawed emails.

PCPro’s investigation shows the faulty emails were being sent out as early as last September, but the problem wasn't fixed until last month.

I think the problem is no matter how large or small a Retail Company is, there’s probably a small company somewhere actually doing this work, and the programmer probably hasn’t ever been taught how to handle Credit Card or Personal data.

When checking into a small Hotel, have you ever leaned over the desk to see what system they are using for your Reservation? I always do – often its Excel.  

I had an incident a couple of years ago where a small Retailer, who probably designed his own Invoicing system in Excel, sent me a paper Invoice in the post, and on the Invoice was my full 16-digit Credit Card number, the Expiry Date & the CVV (you know, the one he’s not supposed to keep a copy of), plus my Name & Address. Horrified, as I didn’t know who is Acquirer was (it was mail order and I wasn’t going to drive 100 miles to see whose decal was on his POS), I wrote to all the major Acquirers.

I still have their responses : Barclays said : take it up with your Card Issuer (excuse me its an Acquirer issue?); HSBC said please call us to discuss (I didn’t); Lloyds TSB said report it to the Financial Ombudsman Service (that’s a little overkill?), and Natwest/RBS (the biggest Acquirer I believe?) never replied at all.


Comments: (2)

A Finextra member
A Finextra member 11 March, 2010, 06:18Be the first to give this comment the thumbs up 0 likes

I agree that no matter the effort the industry makes, there is always a weak link.  Virgin Media e-mailed me my complete bank account details in the confirmation of a direct debit set-up, along with my address.  To be fair, they responded to my complaint rapidly and positively with a commitment to retrain their staff. 

I have previously tried to raise merchant behaviour issues (CVV retention) in the same way as you describe and with pretty much the same results.  How hard would it be for the small number of acquirers to provide a shared "merchant concern reporting system" under the APACS brand where consumers could report such issues without needing to know the merchant's acquirer relationship?

Keith Appleyard
Keith Appleyard - available for hire - Bromley 11 March, 2010, 08:28Be the first to give this comment the thumbs up 0 likes

I forgot to mention that of course none of the Acquirers asked me for the Name & Address of the offending Merchant - you might have thought their first reaction might have been "is it one of ours"?

Keith Appleyard

Keith Appleyard

IT Consultant

available for hire

Member since

17 Aug 2007



Blog posts




This post is from a series of posts in the group:


A place to share stuff that isn't at all fintec related but is amusing, absurd or scary.

See all

Now hiring