More firms to be named in personal data breach

Loyaltybuild refuses to identify the affected companies as crisis widens

Loyaltybuild said the further data breaches, yet to be publicised, had only come to light late yesterday evening and the companies involved were in the process of being informed.
Loyaltybuild said the further data breaches, yet to be publicised, had only come to light late yesterday evening and the companies involved were in the process of being informed.

A fresh wave of companies caught up in the massive data breach affecting Loyaltybuild will be identified later today or tomorrow but the Co Clare based firm last night refused to say who they were or how many more people's personal data will be put at risk as the crisis continues to widen.

It also defended the manner in which it has released in bits and pieces information about the widespread theft of its customers’ personal data since the story broke last week and it denied it had lost control of the situation.

However a Data Protection Commission (DPC) source said some key questions it had asked Loyaltybuild about the Irish companies it had done business with remained unanswered and the source said the Data Protection Commission was "very concerned about the drip feed of information" over recent days.

Loyaltybuild said the further data breaches, yet to be publicised, had only come to light late yesterday evening and the companies involved were in the process of being informed. It said that until all companies involved were in a position to start communicating with both the DPC and their customers about the nature of the breaches, it was legally precluded from identifying them.

READ MORE

A spokeswoman for Loyaltybuild did say that the numbers who had their credit card details stolen from the companies as yet publicly unidentified was likely to be small and stressed the situation had been changing “hourly” throughout yesterday. However those who had other personal details compromised, will be significant, it is understood.

It also emerged yesterday that the personal information of about 6,700 ESB customers were compromised by the security breach which has seen the personal details of around 1.5 million people across Europe compromised including 80,000 Supervalu customers and 8,000 Axa customers.

The Data Protection Commissioner said that financial data was not involved in the ESB breach which it described as “historical” as the company is no longer a customer of Loyaltybuild. Names, address, phone numbers, email and a booking reference have, however, all been compromised among those ESB customers.

Electric Ireland (formerly ESB)confirmed that it would be notifying affected customers while the data protection commissioner said customers should be vigilant about any unsolicited communications which may result from the data breach.

Meanwhile, Garda Commissioner Martin Callinan said the online attack will lead to a difficult and complex criminal investigation because those responsible were most likely based outside the State. However, he insisted that the international nature of the crime would not frustrate the Garda's cyber crime investigators in their efforts to catch those responsible.

Early indications from the Data Protection Commissioner’s office suggests that the breach happened in mid-October – some 10 days before it was identified by the company.

“These customers — who should by now have been notified directly by Supervalu and Axa — should examine their card transactions since mid-October to identify any such transactions that they did not authorise,” the commissioner’s office said. “They should also follow the advice of their card provider on any further precautions that might be necessary to protect themselves,” the DPC said.

Conor Pope

Conor Pope

Conor Pope is Consumer Affairs Correspondent, Pricewatch Editor

Conor Lally

Conor Lally

Conor Lally is Security and Crime Editor of The Irish Times