Loyaltybuild attack: 500,000 people may have had credit card details stolen

Filed Under: Data loss, Featured

LoyaltybuildThousands of people across Europe and, more specifically, in Ireland have had their credit card and personal details stolen after a company which runs reward schemes was hacked.

Investigators have discovered that more than 376,000 people have had their details pilfered after Loyaltybuild's data centre in County Clare, Ireland was breached. It is believed that a further 150,000 potential client records may also have been compromised.

Of this figure some 70,000 or so were SuperValu customers and over 8000 were clients of AXA Leisure Break.

SuperValu is now contacting its customers to advise them that there is a "high risk" that an unauthorised third party has accessed details of cards used to pay for Getaway Breaks between January 2011 and February 2012.

The company said that the Getaway Breaks booking system has now been suspended until further notice. The company also emphasised that only data collected through Loyaltybuild was at risk and that other SuperValu customers would not be affected.

AXA said it will be contacting all of its customers whose data may be at risk and will advise them to check their credit card statements for any unauthorised activity.

It is not just credit card data that has been stolen though - Ireland's Office of the Data Protection Commissioner (ODPC) has revealed that over one million people have had their personal data taken too:

The inspection team also confirmed that name, address, phone number and email address of 1.12m clients were also taken. The initial indications are that these breaches were an external criminal act.

In a statement on its website Loyaltybuild said on Monday that it had been the victim of “a sophisticated criminal attack” and that it had informed the relevant authorities.

Loyaltybuild went on to say that:

We are working around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers, who are of paramount importance to us.

The breach was originally discovered on October 25 - over two weeks before they disclosed the breach - which does make you wonder just how important it really feels its customers are.

The Irish Times said this morning that the stolen financial information was stored in an unencrypted format, along with the 3-digit CSV numbers found on the back of all credit cards.

Oh dear.

Ireland's Data protection Commissioner, Billy Hawkes, told RTE's Morning Ireland program that:

It's important that the customers affected actually look and check with their financial institutions, identify if there are any transactions they didn't authorise.

The Commissioner also told the program that his team will continue to investigate the breach in order to discover the full extent of the stolen data and may need to call upon the services of Interpol to aid in the investigation.

One area which they continue to examine is the possibility that passwords may have also been compromised. Given that many people still recycle passwords, all Loyaltybuild customers should change theirs immediately, irrespective of the ODPC's subsequent findings.

It's another reminder to us all to not use the same password on multiple sites.

Loyaltybuild customers should also be extra vigilant in respect of any emails they receive in the coming weeks – there is a possibility that whoever has this customer data could use it to execute a targeted phishing campaign.

If you are concerned you may have been affected by this breach, you can contact SuperValu on 0870 178 2002 and AXA on 0870 162 0053.


Image of hacking sign courtesy of Shutterstock.

, , , , ,

You might like

7 Responses to Loyaltybuild attack: 500,000 people may have had credit card details stolen

  1. Alanzo Hern · 346 days ago

    I thought the credit card companies' rules forbade storing the CSV numbers.

    • NoSpin1600 · 346 days ago

      Let alone storing them unencrypted.

    • Ancient Brit · 342 days ago

      Unless things have changed since I last worked for a CC Transaction Company, merchants are permitted to store CSV "temporarily" (i.e., for no more than 24 hours). But storing such data unencrypted? Jeez.

  2. Tom · 346 days ago

    Northern Ireland? Tad more research/checking facts needed...

    • Anna Brading · 345 days ago

      This has been fixed, thanks for pointing it out.

  3. What a surprise, another 'Sophisticated Attack.' Funny how no-one ever gets hacked for doing something catastrophically stupid.

    Interesting to note that loyaltybuild make no mention of IT security on their website. Except for in the boilerplate privacy policy which even they've probably never read. Yet these companies still let them collect their clients' credit card details.

  4. Paul · 339 days ago

    Just wondering, does anyone know if these guys were PCI compliant.
    It would be interesting to know how the whole unencrypted information passed muster if they were?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Lee Munson is the founder of Security FAQs, a social media manager with BH Consulting and a blogger with a huge passion for information security.