About 6,700 ESB customers affected by huge data breach

Information relating to loyalty scheme in 2007-2008 was on compromised Loyaltybuild systems

The online attack that has seen the banking and personal details of up to 1.5 million people across Europe being breached will lead to a difficult and complex criminal investigation, Garda Commissioner Martin Callinan has said.
The online attack that has seen the banking and personal details of up to 1.5 million people across Europe being breached will lead to a difficult and complex criminal investigation, Garda Commissioner Martin Callinan has said.

The personal information of about 6,700 ESB customers is now known to have been included in a massive data breach affecting the Loyaltybuild company in Ennis, Co Clare.

Electric Ireland confirmed it had been informed by Loyaltybuild that the data breach had affected ESB customers who participated in a loyalty scheme run by the ESB in 2007 and 2008.

In total, about 1.5 million people across Europe have had their personal details compromised in the breach, including 80,000 Supervalu customers and 8,000 Axa customers.

In an update this evening, the Data Protection Commissioner said the latest affected data related to customer contact details of approximately 6700 ESB customers including name, address, phone number, email and a booking reference.

READ SOME MORE

“ It is understood that financial data are not involved,” the office said..

Electric Ireland will be notifying affected customers.

The commissioner said customers should be vigilant about any unsolicited communications which may result from the data breach.

The commissioner sent investigators to the Ennis firm yesterday to investigate the breach. It is likely the office will examine, amongst other issues, why Loyaltybuild retained personal data relating to a 2008 loyalty scheme until as recently as last month.

Meanwhile, Garda Commissioner Martin Callinan said the online attack that has seen the banking and personal details of up to 1.5 million people across Europe being breached will lead to a difficult and complex criminal investigation because those responsible were most likely based outside the State.

However, the international nature of the crime would not frustrate the Garda’s cyber crime investigators in their efforts to catch those respand complex’ onsible, with many cases in the past involving crime syndicates overseas.

Some 80,000 Supervalu customers who bought its Getaway breaks between January 2011 and February 2012 have been hit as have 8,000 who took advantage of Axa’s leisure break rewards programme.

The Data Protection Commissioner’s office is investigating the breach and said it appeared to have happened in mid-October.

“These customers - who should by now have been notified directly by Supervalu and Axa - should examine their card transactions since mid-October to identify any such transactions that they did not authorise,” the commissioner’s office said.

“They should also follow the advice of their card provider on any further precautions that might be necessary to protect themselves.”

The office said the balance of the approximately half-million other cards that may have been affected by this breach relateed mainly to loyalty schemes operated by Loyaltybuild on behalf of companies based in other European countries.

ESB Customer Supply, which used Loyaltybuild for some marketing schemes “four or five years ago” confirmed today it had contacted the company to seek assurances that its customers were not affected by the breach.

Mr Callinan said that despite the criminal investigation now underway into the attack on the Co Clare based company providing customer loyalty scheme services to retailers across Europe, Irish consumers needed to take their own precautions.

“It’s important your personal details are kept as private as they possibly can be,” he said.

“Companies have a responsibility as well and they’re supposed to have sufficient firewalls in place.

But technology and advances in technology are such that people will attempt to hack in and we believe that’s probably what’s happened on this occasion.”

He said a report on the attack by the Loyaltybuild company was being reviewed by the Garda Bureau of Fraud Investigation, which was leading the probe and was supported by the Computer Crime Investigation Unit.

When asked if those responsible were probably based outside the State, he said: “Well of course that’s typical of what happens with cyber crime nowadays.

“And generally speaking, servers are in different countries from the jurisdiction that’s actually investigating. That adds to the degree of difficulty and the complexity of the investigation. But we are no different from any jurisdiction in that respect.”

While Fianna Fáil had urged any of the 70,000 Irish payment card holders affected by the breach to destroy their cards, Mr Callinan stopped short of issuing any such advice, saying it was a personal choice for consumers.

He noted credit and other payment cards were used millions of times every day without being breached.

Mr Callinan was speaking to the media this morning ahead of the opening of a crime summit in the Garda College, Templemore, Co Tipperary, at which he and his senior officers will review their approach to a range of crimes and policing challenges in a climate of reduced resourcing.

The data breach now being investigated by the Garda and Data Protection Commissioner appears to be one of the biggest in the history of the State, though there is no evidence at this time any money has been stolen from the cards of any of the people whose details were stolen.

All told, the credit card details of 376,000 people across Europe - including almost 70,000 in Ireland - have been seriously compromised after criminals successfully targeted the Loyaltybuild company and exposed enormous weaknesses in its security systems.

A further 150,000 people have had their credit card details potentially compromised while the names, addresses, telephone numbers and emails of more than 1.1 million customers of companies who were doing business with Loyaltybuild were also taken in the cyber attack.

The company had lodged a formal complaint to gardaí over the issue and two investigators from the office of Data Protection Commissioner Billy Hawkes spent yesterday going through the company's computer systems.

Mr Hawkes confirmed that financial information had been stored in unencrypted form, along with the three-digit security code printed on customers’ cards.

A spokesman for the Information Commissioner’s Office in the UK said it had been in contact with the Data Protection Commissioner here and would be kept updated on the investigation.

Conor Lally

Conor Lally

Conor Lally is Security and Crime Editor of The Irish Times