Over 1.5 million affected by Ennis data breach

Data Protection Commissioner investigates major security breach at Co Clare-based company which manages customer loyalty schemes across Europe

The Loyaltybuild premises on Station Road, Ennis, Co Clare. Investigators from the office of Data Protection Commissioner Billy Hawkes were sent to the company today.  Photograph:  Eamon Ward
The Loyaltybuild premises on Station Road, Ennis, Co Clare. Investigators from the office of Data Protection Commissioner Billy Hawkes were sent to the company today. Photograph: Eamon Ward

More than 1.5 million people are now known to have had personal information compromised by a major security breach at a Co Clare-based company which manages customer loyalty schemes across Europe.

A Garda investigation has been launched into what is fast becoming one of the worst data breaches in the history of the State.

All told the credit card details of nearly 400,000 people across Europe - including almost 70,000 in Ireland - have been seriously compromised after criminals successfully targeted the Loyaltybuild rewards company and exposed enormous weaknesses in its security systems.

A further 150,000 people have had their credit card details potentially compromised while the names, addresses, telephone numbers and emails of more than 1.1 million customers of companies who were doing business with the company across Europe were also taken in the hack.

READ SOME MORE

The company has lodged a formal complaint to the Garda and two investigators from the office of the Data Protection Commissioner Billy Hawkes were sent to the company.

Mr Hawkes confirmed that the financial information had been stored in unencrypted form, along with the three-digit security code printed on customers’ cards.

The commissioner’s office said this evening that it had been able to establish the attack was carried out by external sources but stressed that it was too early to say where it had originated.

Garda sources have said, however, that any investigation is likely to be considerably hampered if those behind it are based outside of this jurisdiction.

One of the first things the commissioner has been trying to establish is is why credit card information had been retained by Loyaltybuild.

“We are working around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers, who are of paramount importance to us,” Loyaltybuild said

All told around 70,000 of Supervalu customers are at a "high risk" of having their payment details accessed by an unauthorised third party with those affected having paid for Supervalu Getaway Breaks between January 2011 and February 2012.

Loyaltybuild also manages Axa’s leisure break rewards programme and it confirmed that it was also a victim of the “sophisticated criminal attack” with as many as 8,000 of its customers having had their details stolen in the hack.

Loyaltybuild originally discovered the breach on October 25th and advised the Data Protection Commissioner and Supervalu a week later. Under a code of practice for data breaches published by the commissioner, such breaches should be reported within two working days.

Customers were first alerted to the problem 10 days ago but the true scale of the problem is only now emerging.

Investigators from the commissioner’s office were on site in Ennis today to find out how the credit card details of customers were compromised.

Mr Hawkes told Newstalk’s Pat Kenny programme his inspectors would be seeking to establish why credit card information had been retained by Loyaltybuild.

Mr Hawkes said the criminals involved had all the information that they needed to use the credit cards of the people concerned to make purchases. “That’s why we required both companies to issue the statements they have issued. We are also sending in inspectors to the company at the centre of the breach this morning,” Mr Hawkes said.

Speaking on RTÉ’s Morning Ireland programme, he said the key thing was for customers is to check the financial transactions on their credit cards over the last two years. He said people should identify any financial transactions they didn’t authorise and insist on getting refunds for these.

Mr Hawkes could not say at this stage why it had taken so long for the companies to become aware of the problem.

“To be fair, cyber-criminals have become extremely sophisticated and it can become quite difficult to actually identify that your systems have been penetrated.

“Nevertheless it is extremely serious that it was possible for these criminals to access unencrypted data on credit cards which was sufficient to basically use these credit cards as if they were the people concerned.”

He said his inspectors needed to “get to the bottom” of the issue to find out if there were any further measures that Axa and Supervalu needed to take to protect their customers.

Conor Pope

Conor Pope

Conor Pope is Consumer Affairs Correspondent, Pricewatch Editor