Clerys, Centra and Pigsback now embroiled in data breach

Banks carrying out assesment of numbers involved in breach at Co Clare company

Clerys clock on Dublin’s O’Connell Street. Photograph: Alan Betson / THE IRISH TIMES
Clerys clock on Dublin’s O’Connell Street. Photograph: Alan Betson / THE IRISH TIMES

Customers of a further eight companies including Clery's, Centra, Postbank and PigsBack have had their personal information stolen in the data breach at Co Clare-based company Loyaltybuild.

Credit card information of customers of Clery’s loyalty travel scheme as well as personal details including names, addresses, phone numbers and email addresses are now know to have been stolen in the cyber attack.

Non-financial information of customers of Centra, vouchers website PigsBack, Postbank Ireland and a small Ennis orthodontics company called TOG were also compromised.

Credit card details of Stena Line customers in Northern Ireland have also been compromised as have a small number of credit card details and the personal data of customers of Northern Unislim.

READ SOME MORE

A source close to the investigation told The Irish Times that the number of customers affected in all the firms is comparatively small with around 150 people having had their financial data compromised in the new wave of breaches.

Centra said in a statement that its involvement with Loyaltybuild dated back to 2006 and the breach affected just 68 people who collected vouchers for city breaks across Europe.

Meanwhile Loyaltybuild confirmed this evening that it had ceased taking bookings on its website and over the phone. “We have done this to enable our external data experts to complete their investigation into the attack and to put into place the necessary protections and certifications to give our customers the highest degree of confidence when booking with us in the future,” the company’s general manager Peter Steenstrup said.

Two banks have confirmed that there are some indications of fraudulent activity on credit cards caught up in the breach. Both AIB and Permanent TSB have urged customers not to panic.

A spokeswoman for AIB said its helpdesk had been inundated with calls from concerned customers in recent days and that a “detailed trawl” of its computer systems was still under way. She said the investigation had uncovered some signs of fraudulent behaviour on some cards but stressed that it was not yet possible to link it directly to the cyber-attack on at Loyaltybuild.

Permanent TSB said there are “some indications” of possible fraud on some of the cards but it could not confirm that it was directly linked to the Loyaltybuild breach.

"Given the scale of the theft and the number of cards involved, fraud on some of them is inevitable but there is nothing to suggest the criminals behind the attack on Loyaltybuild are behind it," said Una Dillon of the Irish Payment Services Organisation (IPSO).

She also said that a huge number of the compromised cards had already expired and would be useless to any fraudsters as a result. Among the stolen cards were 26,000 Laser cards which have been discontinued.

She also pointed out that anyone who did have money taken from a credit or debit card would have it reimbursed by their lender who would then pursue retailers for the lost money. “Under no circumstances will any consumer be left out of pocket as a result of this breach,” Ms Dillon said.

A Garda investigation has begun into the attack which has seen the personal details of more than 1.5 million people, including 80,000 Supervalu customers, 6,700 ESB customers and 8,000 Axa customers, stolen.

More companies caught up in the massive data breach affecting Loyaltybuild will be identified later today or tomorrow but the Co Clare based firm last night refused to say who they were or how many more people’s personal data will be put at risk as the crisis continues to widen.

“As our investigation unfolds, we have been in contact with our Irish clients and have been providing them with information regarding the matter,” a spokeswoman said.

“Each of our clients will determine the appropriate steps and communication required. It would be inappropriate for us to disclose the list of our clients that are involved in this matter.”

Loyaltybuild has also defended the manner in which it has released in bits and pieces information about the widespread theft of its customers’ personal data since the story broke last week and it denied it had lost control of the situation.

A Data Protection Commission (DPC) source said some key questions it had asked Loyaltybuild about the Irish companies it had done business with remained unanswered. The source said the Data Protection Commission was "very concerned about the drip feed of information" over recent days.

Fianna Fáil's spokesman for jobs, enterprise and innovation Dara Calleary called on the Financial Regulator to address the security breach and said the drip feed of information needed to come to an end.

“We would ask that the financial regulator now get involved in this and bring an end to the information deficit here and give reassurances to people around this issue as well as the data protection agency.”

Conor Pope

Conor Pope

Conor Pope is Consumer Affairs Correspondent, Pricewatch Editor