Breach ‘one of biggest in Europe’ in last three years

Information was stored in unencrypted form, along with the three-digit CCV code

The Loyaltybuild premises on Station Road, Ennis, Co Clare. Photograph: Eamon Ward
The Loyaltybuild premises on Station Road, Ennis, Co Clare. Photograph: Eamon Ward

The credit card details of about 376,000 European citizens have been put a serious risk after a data breach affecting the Co Clare based company Loyaltybuild, making it what one industry person described today as perhaps the "largest data protection breach in western Europe in the last three years".

Up to 1.5 million have had their personal information compromised - details such as names, addresses, phone numbers and email addresses.

Data Protection Commissioner Billy Hawkes had not been made aware of the full extent of the breach until Monday night, he indicated.

Supervalu, which uses Loyaltybuild to process customer data for its Getaway Breaks scheme, initially brought the issue to light last week when it said about 39,000 of its customers had been exposed to credit card fraud.

READ MORE

But it emerged on Monday night that the problem was much worse than had originally been believed.

An initial investigation by the commissioner’s office at Loyaltybuild yesterday indicated more than 70,000 Supervalu Getaway customers had their credit card details stolen. Some 8,000 Axa Leisure Break customers were similarly affected. The details of an additional 150,000 customers were “potentially compromised”, the commissioner said.

While the commissioner yesterday referred to “criminals” having accessed the data , it is not yet clear whether the problem was the result of a hack or exactly how the information was obtained.

It is not even clear, based on the information on Loyaltybuild's own website, whether the personal data is stored in Ireland or whether it was sent elsewhere for processing. The company does indicate that it may transfer information "worldwide".

There is generally a ban on exporting personal data outside the European Economic Area unless one or more of a number of exceptions are met, including that the company has the consent of the customers involved.

Data protection consultant Daragh O'Brien of Castlebridge Associates said other data protection authorities across Europe would be watching with interest "to ensure Irish standards of investigation and enforcement are up to scratch to vindicate the rights of EU citizens".

“The impact on Loyaltybuild could be significant, as could the brand damage for any brand name associated with them,” he said.

“While Loyaltybuild have suffered the breach, they may only have been acting as a data processor on behalf of ‘name brands’ like Supervalu.

“As such, the ‘name brands’ are potentially liable for the breach under data protection law. This will all depend on the terms of the operating contract between Loyaltybuild and the brands and the level of direction that Supervalu could give regarding data processing by Loyaltybuild under that agreement.”

Information security consultant Brian Honan of BH Consulting said he had no direct knowledge of what had happened in this situation, although there were many different ways the data breach could have happened.

Companies such as Supervalu and Axa and others running loyalty schemes, however, had responsibility for the personal data provided to them by customers.

“Each of those companies has contracted Loyaltybuild to manage that scheme on their behalf. But while you can outsource the function and the job, you can’t outsource the responsibility to protect the data.

He said inquiries would also examine what companies such as Supervalu were doing to keep the personal information as secure as it should be.

Mr Hawkes indicated yesterday that the information had been stored in unencrypted form, along with the three-digit CCV code on the back of the card.

Taking adequate measures to secure such personal data, having regard to its nature and the potential harm that might result from a breach, is a basic principle of data protection.

Keeping credit card numbers in encrypted form is a security basic. The Data Protection Commissioner’s investigators will be asking why Loyaltybuild or its agents retained the data at all once customers had paid for and taken their holiday breaks, unless a recurring payment was involved.

This issue also arose in connection with the controversy over the Local Property Tax and the Revenue Commissioners were adamant they had to deduct payment immediately from those using credit or debit cards - purely because data protection considerations did not allow them to hold on to the card information.

Supervalu would be expected to have a legal agreement in place with Loyaltybuild as its so-called ‘data processor’, outlining the specifics of how customer data is to be handled and secured.

Ultimately, companies who collect the personal data of customers for such loyalty schemes are considered the data controller and are liable to prosecution under the Data Protection Acts.

The law provides for fines of up to €3,000 on summary conviction or up to €100,000 on indictment, although such a fine has never been recorded here.

Should any company face prosecution for an offence connected with electronic marketing, it would face fines of up to €250,000 for a conviction on indictment.

Other data protection authorities in Europe will be watching closely to see what emerges from the investigation here.