Supervalu security breach takes sinister twist

Analysis: has enough been done to protect those affected?

Nearly 70,000 people potentially affected by the breach have been urged to go through their credit card statements to look for any rogue or unexplained transactions. File Photograph: Frank Miller/The Irish Times
Nearly 70,000 people potentially affected by the breach have been urged to go through their credit card statements to look for any rogue or unexplained transactions. File Photograph: Frank Miller/The Irish Times

What started out as a routine investigation after unexplained code was found on a computer in a Clare-based company processing financial data of over 70,000 Supervalu and Axa customers has taken a sinister twist .

It emerged yesterday the security breach was far more dangerous and widespread than was previously thought.

Last Tuesday this newspaper broke the story that 39,000 Supervalu customers who bought its "getaway breaks" were potentially exposed to a computer hack at the US-owned company Loyaltybuild, while a further 4,000 people with the insurance company's loyalty reward programme had also been affected.

Everything changed yesterday when Loyaltybuild contacted the DPC again to say financial details of more than 62,000 Supervalu customers and 8,000 Axa customers who had paid for breaks between January 2011 and February 2012 had been seriously compromised and could now be used by a third party to make purchases or - worse again - clone credit or debit cards.

READ SOME MORE

When the breach first emerged, the three companies insisted there was no sign that any personal or financial data had been extracted or compromised. Both Axa and Supervalu urged those who had booked breaks through their reward schemes to do no more than review their accounts and report any unusual activity or unsolicited communication connected with the deal to their bank.

The Data Protection Commission was informed but the investigation was still relatively low key.

When the DPC recieved confirmation the security breach had worsened yesterday, it dispatched two of its investigators to Co Clare to go through Loyaltybuild’s computer systems. Supervalu was also sending its people to the site.

"We now know that the criminals involved have all the information that they need to use the credit cards of the people concerned to make purchases and that's why we required both companies to issue the statements they have issued.," Data Protection Commissioner Billy Hawkes said this morning.

It has taken a long time for information to come to light. It has been nearly three weeks since signs of the breach were first detected. It affects customers who bought holidays up to three years ago.

This has prompted questions as to why such a serious incident can remain undetected for so long.

“To be fair, cyber-criminals have become extremely sophisticated and it can become quite difficult to actually identify that your systems have been penetrated,” Mr Hawkes said today. “Nevertheless it is extremely serious that it was possible for these criminals to access unencrypted data on credit cards which was sufficient to basically use these credit cards as if they were the people concerned.”

Loyaltybuild says it is working “around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers”. On legal advice, it has declined to shed any light on the nature of the investigation or those behind it.

The Garda Bureau of Fraud Investigation has also received a report on the security breach from the company. Informed sources say any such inquiry could be hampered by the fact the perpetrators could be based outside of this jurisdiction.

Nearly 70,000 people potentially affected by the breach have been urged to go through their credit card statements to look for any rogue or unexplained transactions. They will be able to take some comfort from the fact that they are unlikely to lose out as a result of any fraud perpetrated on their account as unless the card hold can be shown to be at fault - which they would clearly not be in this case - the money will be refunded.

Who pays the ultimate price is what remains to be seen.

Conor Pope

Conor Pope

Conor Pope is Consumer Affairs Correspondent, Pricewatch Editor