Loyaltybuild attack: 500,000 people may have had credit card details stolen

Thousands of people across Europe and, more specifically, in Ireland have had their credit card and personal details stolen after a company which runs reward schemes was hacked.

Investigators have discovered that more than 376,000 people have had their details pilfered after Loyaltybuild’s data centre in County Clare, Ireland was breached. It is believed that a further 150,000 potential client records may also have been compromised.

Of this figure some 70,000 or so were SuperValu customers and over 8000 were clients of AXA Leisure Break.

SuperValu is now contacting its customers to advise them that there is a “high risk” that an unauthorised third party has accessed details of cards used to pay for Getaway Breaks between January 2011 and February 2012.

The company said that the Getaway Breaks booking system has now been suspended until further notice. The company also emphasised that only data collected through Loyaltybuild was at risk and that other SuperValu customers would not be affected.

AXA said it will be contacting all of its customers whose data may be at risk and will advise them to check their credit card statements for any unauthorised activity.

It is not just credit card data that has been stolen though – Ireland’s Office of the Data Protection Commissioner (ODPC) has revealed that over one million people have had their personal data taken too:

The inspection team also confirmed that name, address, phone number and email address of 1.12m clients were also taken. The initial indications are that these breaches were an external criminal act.

In a statement on its website Loyaltybuild said on Monday that it had been the victim of “a sophisticated criminal attack” and that it had informed the relevant authorities.

Loyaltybuild went on to say that:

We are working around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers, who are of paramount importance to us.

The breach was originally discovered on October 25 – over two weeks before they disclosed the breach – which does make you wonder just how important it really feels its customers are.

The Irish Times said this morning that the stolen financial information was stored in an unencrypted format, along with the 3-digit CSV numbers found on the back of all credit cards.

Oh dear.

Ireland’s Data protection Commissioner, Billy Hawkes, told RTE’s Morning Ireland program that:

It's important that the customers affected actually look and check with their financial institutions, identify if there are any transactions they didn't authorise.

The Commissioner also told the program that his team will continue to investigate the breach in order to discover the full extent of the stolen data and may need to call upon the services of Interpol to aid in the investigation.

One area which they continue to examine is the possibility that passwords may have also been compromised. Given that many people still recycle passwords, all Loyaltybuild customers should change theirs immediately, irrespective of the ODPC’s subsequent findings.

It’s another reminder to us all to not use the same password on multiple sites.

Loyaltybuild customers should also be extra vigilant in respect of any emails they receive in the coming weeks – there is a possibility that whoever has this customer data could use it to execute a targeted phishing campaign.

If you are concerned you may have been affected by this breach, you can contact SuperValu on 0870 178 2002 and AXA on 0870 162 0053.

Image of hacking sign courtesy of Shutterstock.