Breach ‘one of biggest in Europe’ in last three years
Information was stored in unencrypted form, along with the three-digit CCV code
Information security consultant Brian Honan of BH Consulting said he had no direct knowledge of what had happened in this situation, although there were many different ways the data breach could have happened.
Companies such as Supervalu and Axa and others running loyalty schemes, however, had responsibility for the personal data provided to them by customers.
“Each of those companies has contracted Loyaltybuild to manage that scheme on their behalf. But while you can outsource the function and the job, you can’t outsource the responsibility to protect the data.
He said inquiries would also examine what companies such as Supervalu were doing to keep the personal information as secure as it should be.
Mr Hawkes indicated yesterday that the information had been stored in unencrypted form, along with the three-digit CCV code on the back of the card.
Taking adequate measures to secure such personal data, having regard to its nature and the potential harm that might result from a breach, is a basic principle of data protection.
Keeping credit card numbers in encrypted form is a security basic. The Data Protection Commissioner’s investigators will be asking why Loyaltybuild or its agents retained the data at all once customers had paid for and taken their holiday breaks, unless a recurring payment was involved.
This issue also arose in connection with the controversy over the Local Property Tax and the Revenue Commissioners were adamant they had to deduct payment immediately from those using credit or debit cards - purely because data protection considerations did not allow them to hold on to the card information.
Supervalu would be expected to have a legal agreement in place with Loyaltybuild as its so-called ‘data processor’, outlining the specifics of how customer data is to be handled and secured.
Ultimately, companies who collect the personal data of customers for such loyalty schemes are considered the data controller and are liable to prosecution under the Data Protection Acts.
The law provides for fines of up to €3,000 on summary conviction or up to €100,000 on indictment, although such a fine has never been recorded here.
Should any company face prosecution for an offence connected with electronic marketing, it would face fines of up to €250,000 for a conviction on indictment.
Other data protection authorities in Europe will be watching closely to see what emerges from the investigation here.