Credit card numbers of Argos customers were exposed in emails sent to them.

An email snafu by an online catalogue company is a good example of why both inbound and outbound electronic correspondence should be filtered not only to ensure that nasty payloads aren’t delivered to an organization but also to prevent sensitive information from being exposed to unsavory elements.

The email blunder involved a company called Argos. It is a multi-channel retailer, based in the United Kingdom, of merchandise for the home. During its last financial year, it had more than $6.4 billion in sales, 26 percent of it from the Internet.

After a probe by PC Pro magazine, it was discovered that the High Street retailer was sending out the credit card numbers of their online customers in plaintext emails confirming purchases. Should the emails be intercepted in transit or otherwise hijacked, the credit card information could be used for fraudulent charges.

What’s worse, the emails also contain an Internet link, or URL, that contains the recipient’s name, address and credit card details. If the customer clicks on the link, the URL containing the personal information would become part of the customer’s browser history, where it could be vulnerable to cyber snoopers. Moreover, the URL would be stored in the service logs of whomever is providing the customer with Internet service–his or her employer or ISP–as well as in Argos’s web analytics software which captures URLs used to access its Web site.

Two victims of the security lapse by Argos were cited by PC pro. Paul Lomax, chief technology officer at Dennis Publishing, and Tony Graham, reader of the publication. Both reported their credit card details stolen after receiving the vulnerable emails from the retailer.

Graham discovered the gaff when searching through his email for the last four digits of his credit card number. When he checked a message from Argos that appeared in the search results, he was puzzled. No credit card numbers appeared in the text of the correspondence. It was only when he opened up the source code behind the email that he discovered the URL bursting with personal and sensitive information.

Continue reading Solid email security requires inbound and outbound filtering