Loyaltybuild, a County Clare-based company that works with European retailers to roll out – what else? – loyalty programs, keeps credit card details, telephone numbers and home addresses of consumers in its databases. The Irish Times reported that cybercriminals were able to access partial information for different customer segments.
Hackers snagged the credit card details of 376,000 people across Europe (70,000 of them in Ireland), and were able to lift the names, addresses and phone numbers of an additional 1.1 million. Further, another 150,000 people “may” have had their credit card information compromised.
All of Loyaltybuild’s consumers in its territories (the UK, Ireland, Scandinavia and Switzerland) were warned to monitor their accounts for unusual activity, but certain campaigns were hit specifically: about 62,000 Supervalu customers who bought the “Getaway Breaks” promotion between January 2011 and February 2012 have been hit, as were 8,000 consumers who went for the Axa leisure break rewards program.
The Irish police force, known as the Gardaí, launched an investigation after the company lodged a formal complaint. The investigators found a disturbing fact: the financial information had been stored in unencrypted form, including the critical three-digit security code on the back of the cards, necessary for most online transactions.
According to Data Protection Commissioner Billy Hawkes, the investigation has uncovered that the perpetrators were external to the company, but tracking them down further will take some time and, possibly, international cooperation.
For its part, Loyaltybuild issued a brief statement on its website acknowledging that it has been the victim of a “sophisticated criminal attack” and noting that data breaches are the “reality of doing business today.”
It did not address the glaring issue of deciding to keep unencrypted personal information on hand, but it apologized to its customers and said that it has launched its own investigation into the attack. It noted that the DPC and the Gardaí will be kept informed of any further developments from the examination.
“We are working around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers, who are of paramount importance to us,” it added. “From the moment we first detected a suspected security breach on Friday, October 25th we immediately engaged the services of an expert forensics security team and have worked tirelessly to try to rectify this situation.”
It added, “As the safety of our customer data is of utmost importance to us we immediately informed our clients of this new development so they could put their own processes in place to inform customers of any potential compromise to their data.”