Credit card details of 500,000 European customers may have been hit by loyalty scheme breachTuesday 12 November 2013 22.42
The Data Protection Commissioner has said the credit card details of up to 500,000 people across Europe may have been compromised by the data breach at Loyaltybuild.
An inspection team from the Office of the Data Protection Commissioner has also confirmed that the names, addresses, phone numbers and email addresses of around 1.12 million clients were also taken.
Billy Hawkes said his office has now made contact with colleagues across Europe to inform them of the security breach.
Loyaltybuild runs special offers and incentive schemes for major retailers, utilities and service providers in Ireland, the UK, Scandinavia and Switzerland.
The ODPC said an inspection team has confirmed that the full card details of over 376,000 customers were taken.
Of this figure, over 70,000 were SuperValu customers and over 8,000 were AXA Leisure Break customers.
The details of another 150,000 clients were also potentially compromised.
It said initial indications are that the breaches were the result of an "external criminal act".
Managing Director Peter Steenstrup has said he is deeply sorry for what is described as a major security breach at the company.
He urged customers to check their bank account statements and report any suspicious activity.
Mr Steenstrup said Loyaltybuild takes data security very seriously and the company is working to ensure that this will never happen again.
The Data Protection Commissioner said the criminals who breached security have all the information they need in order to use the payment cards.
SuperValu and AXA have now suspended the schemes.
Customers are being advised to contact their banks and to check for any suspicious activity on their accounts.
Thousands of people who made Getaway Breaks bookings between January 2011 and February 2012 are advised to contact their financial institutions.
Stena Line has said it is working with Loyaltybuild to establish the extent of the security breach after it was involved with what the company said was a small scale, tactical hotel promotion.
It urged customers to contact Stena Line at 01-2047777 if they have concerns over the breach.
Independent investigation being carried out
Mr Hawkes has said that affected customers should check financial transactions on cards over the last two years.
Speaking on RTÉ's Morning Ireland, he said: "It's important that the customers affected actually look and check with their financial institutions, identify if there are any transactions they didn't authorise."
Mr Hawkes said it was a serious breach and his team will be attempting to see just how much information criminals have gained.
"We'll also find out if, for example, other types of information might have been accessed such as passwords and so on because people often use the same password on different sites."
Customers urged to cancel cards
The Consumers' Association has recommended that any consumers affected by the security breach should cancel their cards.
Speaking on RTÉ's Today with Sean O'Rourke programme, CEO Dermott Jewell said there is a strong likelihood that criminals have sold on sensitive information.
"With that news out there, there is every likelihood that criminal elements will say fine there is no point trying to use this because there will be a high alert.
"But that is not to say they haven't sold some of these onto third parties in other jurisdictions."
Andy Harbison, Director of Forensic and Investigation services at Grant Thornton, said there is a healthy black market for this form of data.
The specialist in combating cybercrime said that once the data has been stolen, it is auctioned off to other criminals who steal the money from bank accounts.
Mr Harbison said the gangs will often conduct a test on accounts to make sure they are active by instigating a small transaction for a few euro.
He said that previously cyber thieves would use credit card details to steal large amounts, but that it is now more common to take much smaller amounts on a frequent basis in order to avoid detection by account owners.