Fresh doubts have been raised over the online security of high street retailer Argos, following a PC Pro investigation.

Yesterday, we revealed that Argos was sending customers' unencrypted credit-card numbers and security codes in order confirmation emails, potentially exposing them to online fraud.

Now it's emerged that those very same confirmation emails contain a web link - ironically intended to direct customers to Argos's security page - which contains the customer's full name, address and credit-card details in the URL itself.

Customers clicking on that web link would therefore leave plain text details of their credit-card numbers in their browser web history, which could be particularly problematic on shared or public PCs, such as those used by web cafes.

It would also leave the customers' details stored in the server logs that are maintained by employers and ISPs, as well as Argos' own web analytics software, which logs the URLs used to access its website.

The flaw was discovered by Dennis Publishing's chief technology officer, Paul Lomax, who ordered furniture from Argos last September and had his credit-card details stolen a few months later. PC Pro reader Tony Graham, who alerted us to the flawed emails in the first place, also had his card details stolen after placing an order with Argos, although there's no evidence to tie Argos to the credit-card thefts.

Broken "spirit of the law"

Security experts say Argos' system was seriously flawed. "Argos say 'we take security of your details seriously'. It seems more like, 'We don’t take security of your details seriously. We may send you email from time to time with your payment card details in it," said Sophos Labs security expert, Paul Baccas.

"Sending this amount of detail is a bad idea, and it has been poorly implemented. Having the customers’ PII [personally identifiable information] and PCI [payment card information] within the email - while possibly not breaking the Data Protection Act - has broken the spirit of the law, and I would suspect that the Data Protection Commissioner would like to be informed."

"This information is being sent unencrypted over email, so anybody monitoring network traffic could see the data. If the email is going to a webmail or company account, this information will be stored and accessible to people with access to those servers," he added.

"We know that bad guys monitor network traffic and hack web servers. Malware already searches computers for locally stored emails to garner PII. I see this every day in my line of work."

Argos comment

In a statement sent to PC Pro Argos said that it "takes the security of its customers’ data extremely seriously, is fully aware of the requirements of the Data Protection Act and has taken remedial action in relation to this matter.

"We are in contact with the Information Commissioner’s Office. We have made them aware of our approach to customer communications and will continue to work closely with them to ensure we are taking all appropriate actions."

Argos has refused to comment on how many customers have been affected or whether it had contacted customers who received the flawed emails.

Our own investigation shows the faulty emails were being sent out as early as last September, but the problem wasn't fixed until last month.

I hope they get nailed for this.

Argos has failed to inform customers that their credit-card details have been compromised, more than three weeks after PC Pro first exposed the glaring hole in the company's website security.

On the 4 March, we revealed how Argos had included customers' names, addresses, credit-card numbers and security codes in unencrypted order confirmations.

It was subsequently revealed that a link to Argos's security page also contained the credit-card details in a plain text link, potentially leaving the data strewn in web browser history, as well as employers' and ISPs' server logs.

The flawed emails were being sent from last April, right through to the beginning of this month when we alerted the store to the issue. At least two people who received the emails have subsequently had their credit-card details stolen, although there's no evidence to tie the emails to the thefts.

Affected customers have told PC Pro that they've received no warning from the company that their credit-card details have been compromised. When we asked Argos today whether it had contacted customers who received the insecure emails, it refused to answer the question.

"We would like to reiterate that Argos takes the security of its customers' data extremely seriously and has taken appropriate action in relation to this matter," Argos said in a statement. "Argos is in contact with the Information Commissioner's Office and has made them aware of its approach to customer communications."

The Information Commissioner's Office refused to comment on the advice it has given Argos.

Stolen details

Although Argos seems unwilling to raise the alarm, the company is responding to individual complaints from customers.

When Dennis Publishing's chief technology officer, Paul Lomax, complained to the store that his credit-card details had been stolen after placing an order, he was told: "We do not believe that your details have been compromised as a result of this issue."

The response infuriated Lomax. "You have absolutely no basis for your belief that my details have not been compromised as a result of this issue," he wrote in reply to the email.

"You have sent my full credit-card details, including CVV and address, in plain text over the internet. Once this email left your server you have absolutely no way of guaranteeing its security - it would have passed through various points on the way to my email in box. Plus, since I clicked the 'online security' link, you have also put my credit-card details into my ISPs URL logs, their proxies, my browser history, and God knows where else."

That complaint was met with the same boilerplate reply as his first.

If anything the sooner they fess up the better it will be for them. What will happen is that a consumer watchdog program will take this up and it will get out of control in terms of PR.

Maybe I should contact one of them?

We ordered a fridge freezer and a few months later our card had been cloned. Coincidence ?