Share this content

Concerns raised over Argos' customer data practices

5th Mar 2010
Share this content

Doubts have been raised about the online security practices of Argos after it was revealed that the high street retailer was exposing customers’ personal information in order confirmation emails.

Although the issue has now apparently been fixed, the company was including customers’ full name, address, credit card number and three digit CCV security code in the emails, which are sent out once consumers have placed an order on its website.

Though the credit card details did not appear in the text of the email itself, they were contained in plain text in the HTML code, which meant that they could potentially have been viewed by anyone intercepting or gaining access to such messages.

The same messages also included a web link that was meant to direct customers to Argos’ security page. But the URL contained their full name, address and credit card details. As a result, anyone clicking on the link would have left their details, written in plain text, in their browser web history, posing a particular risk to public PC users in internet cafes.

Customer Tony Graham from Wiltshire was the first to bring the issue to light when he contacted tech magazine PC Pro about his concerns. He was searching for another order confirmation email in his mailbox using the last four digits of his credit card number, but was surprised to find the Argos order confirmation in his results.

As he was unable to find his credit card number in the email itself, he clicked the ‘View Source’ option and discovered his card number and security code embedded in the HTML code.

Graham reportedly told Argos about the situation, but initially received no reply, although the company later informed him that it had fixed the issue. Due to this initial lack of response, he contacted the firm’s secure payment provider VeriSign, which confirmed the matter.

Graham’s credit card details were subsequently stolen, although there is no evidence that the theft was linked to the Argos email.


Argos said in a statement to PC Pro: "As far as we are aware, Mr Graham is the only customer to have contacted us regarding this potential issue, which has now been fully investigated and resolved to prevent it from happening in the future."

It continued that the company had written to him to apologise for the incident and reassured him that it had acted swiftly to amend its procedures.

"We have no reason to believe that Mr Graham’s details have been compromised as a result of this incident. We have an obligation to protect our customers’ data and to ensure its security, so we cannot reveal information relating to our data processing arrangements nor regarding our dealings with other customers," the statement added.

The second URL-related situation, however, was discovered by Paul Lomax, chief technology officer at Dennis Publishing, which owns PC Pro magazine. He ordered furniture from Argos last September and had his credit card details stolen a few months later, although again there is no evidential link between the two incidents.

In a second statement to the publication, the retailer said that it took the security of customer data "extremely seriously" and was fully aware of the requirements of the Data Protection Act. Therefore, it had taken "remedial action" in relation to the matter.

It added that it was in contact with the Information Commissioner’s Office and had made it aware of "our approach to customer communications". It also planned "to continue to work closely with them to ensure we are taking all appropriate actions," the statement said.

PC Pro said that the flawed emails were being sent out as early as last September but the problem was not fixed until last month.

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.