Breach ‘one of biggest in Europe’ in last three years
Information was stored in unencrypted form, along with the three-digit CCV code
The Loyaltybuild premises on Station Road, Ennis, Co Clare. Photograph: Eamon Ward
The credit card details of about 376,000 European citizens have been put a serious risk after a data breach affecting the Co Clare based company Loyaltybuild, making it what one industry person described today as perhaps the “largest data protection breach in western Europe in the last three years”.
Up to 1.5 million have had their personal information compromised - details such as names, addresses, phone numbers and email addresses.
Data Protection Commissioner Billy Hawkes had not been made aware of the full extent of the breach until Monday night, he indicated.
Supervalu, which uses Loyaltybuild to process customer data for its Getaway Breaks scheme, initially brought the issue to light last week when it said about 39,000 of its customers had been exposed to credit card fraud.
But it emerged on Monday night that the problem was much worse than had originally been believed.
An initial investigation by the commissioner’s office at Loyaltybuild yesterday indicated more than 70,000 Supervalu Getaway customers had their credit card details stolen. Some 8,000 Axa Leisure Break customers were similarly affected. The details of an additional 150,000 customers were “potentially compromised”, the commissioner said.
While the commissioner yesterday referred to “criminals” having accessed the data , it is not yet clear whether the problem was the result of a hack or exactly how the information was obtained.
It is not even clear, based on the information on Loyaltybuild’s own website, whether the personal data is stored in Ireland or whether it was sent elsewhere for processing. The company does indicate that it may transfer information “worldwide”.
There is generally a ban on exporting personal data outside the European Economic Area unless one or more of a number of exceptions are met, including that the company has the consent of the customers involved.
Data protection consultant Daragh O’Brien of Castlebridge Associates said other data protection authorities across Europe would be watching with interest “to ensure Irish standards of investigation and enforcement are up to scratch to vindicate the rights of EU citizens”.
“The impact on Loyaltybuild could be significant, as could the brand damage for any brand name associated with them,” he said.
“While Loyaltybuild have suffered the breach, they may only have been acting as a data processor on behalf of ‘name brands’ like Supervalu.
“As such, the ‘name brands’ are potentially liable for the breach under data protection law. This will all depend on the terms of the operating contract between Loyaltybuild and the brands and the level of direction that Supervalu could give regarding data processing by Loyaltybuild under that agreement.”