Loyaltybuild reopens for business after huge data breach

Data Protection Commissioner to keep Ennis -based company’s operation under ‘ongoing review’

Data Protection Commissioner Billy Hawkes, who commenced an investigation into Loyaltybuild’s operation after the data breach last year. Photograph: Dara Mac Dónaill/The Irish Times

Data Protection Commissioner Billy Hawkes, who commenced an investigation into Loyaltybuild’s operation after the data breach last year. Photograph: Dara Mac Dónaill/The Irish Times

Wed, Mar 12, 2014, 16:26

The company at the centre of the biggest data breach ever dealt with in Ireland has recommenced trading and said it had invested €500,000 in new security systems after the criminal attack last year.

Ennis-based Loyaltybuild, which provides services to companies running holiday break promotions, was hit by the breach late last year and it emerged the personal details of about 1.5 million people across Europe were compromised.

This included about 90,000 Irish customers of companies such as Supervalu, Axa, ESB, Clerys and Pigsback and Stena Line in Northern Ireland. In some cases, financial data was involved.

At the time, Loyaltybuild described the hacking of its site as “a sophisticated criminal act”.

Initially, the company and clients such as Supervalu and Axa had reassured customers that their personal data had not been compromised.

But it later acknowledged this was not the case. Some of the personal information had been stored in unencrypted form.

All processing of personal data by Loyaltybuild ceased when Data Protection Commissioner Billy Hawkes began investigating the breach in November.

The commissioner’s office confirmed Loyaltybuild had recommenced business.

In a statement, it said said its examination of the security practices and procedures employed by the company had taken place. It had now recommenced processing personal data.

“Our formal investigation is nearing completion and a finalised report with recommendations (most of which have already been implemented by Loyaltybuild) will issue in the near future,” the statement added.

“We envisage that ongoing reviews will be mandated as part of our report recommendations for a period following completion of the formal investigation.”

It is understood the company’s staff of about 50 people in Ennis were kept on the payroll while that investigation was underway, even though business had temporarily ceased.

Loyaltybuild today confirmed it had recommenced trading in Norway and Sweden “following the recent criminal cyber attack on our business”.

“We are continuing to work with our valued clients to bring our other loyalty programmes back on line,” it said.

The company said it had ceased taking bookings on its websites and in its call centres in November in order to enable its external data experts to complete their investigation into the cyber attack.

“This also allowed us the time to put into place additional protections and certifications to assure our clients’ customers of the highest degree of confidence when booking with us in the future,” it added.

The company said it had made “significant investments in its systems and infrastructure, implementing the most up-to-date technologies and payment processes to ensure all transactions are secure”.

This included technical and operational standards, which it said had been independently audited and certified. It is understood all payments will now be processed through the secure Realex payments service.

“Loyaltybuild has now achieved the highest possible standard when it comes to global security regulations, designed to protect payment card information during and after a financial transaction.”

The company again expressed its “sincere apologies” to its clients and their customers for the distress and inconvenience caused.

In 2012, Loyaltybuild made a pre-tax profit of €4.47 million on a turnover of €11.16 million.

About a third of its turnover (€3.3 million) was in Ireland while the rest (€7.85 million) was generated in other European countries.

The turnover comes from the commission it gets on discounted holiday packages sold as part of customer loyalty programmes.

It is part of the Affinion Group based in Stamford, Connecticut, which has about 4,300 employees and operations in 19 countries.

Separately, the European Parliament today voted in favour of a new data protection regulation which would harmonise the law across the EU.

The regulation, along with a directive on data protection law in the area of law enforcement, has been over two years in negotiation. It must yet be approved via a co-decision process with the European Council.

European Commission vice president Viviane Reding said the reform would ensure more effective control of people over their personal data, and make it easier for businesses to operate and innovate in the EU’s single market.

“Strong data protection rules must be Europe’s trade mark. Following the US data spying scandals, data protection is more than ever a competitive advantage,” she said.