Step into the breach
For the cybercriminals who stole details of SuperValu, Axa and Clerys customers last week, names, emails and phone numbers can be as valuable as credit-card data. How big is the risk to consumers?
Photograph: Image Source/Getty
When small files started being discreetly downloaded from computers in a grey Ennis office block four weeks ago and making their way through cyberspace towards the shadows of the “dark net”, it went almost entirely unnoticed. More than a week passed before anyone realised something was amiss. Then all hell broke loose.
Although it has more than three million customers across Europe, until last week only a handful of Irish people had heard of Loyaltybuild, a Co Clare-based company that takes bookings for rewards schemes offered by retailers and service providers.
In a chain of events that started in the middle of October, sensitive personal details of about 1.5 million people have been stolen by as yet unidentified criminals. Retailers and service providers in Ireland and across the EU are embarrassed, and Loyaltybuild has shut down its booking service as it fights to regain control of the situation.
The story broke in this newspaper last week, but the company played it down. On Monday it emerged that the problem was worse than it had initially said. The credit-card details of 376,000 people across Europe had been stolen by criminals in what industry sources say was the largest data-protection breach in western Europe in the past three years.
And it kept getting worse. Through the week the numbers climbed until 1.5 million people were found to have had their personal information compromised, with details such as names, addresses, phone numbers and email addresses also stolen in the cyberattack.
SuperValu, Axa, ESB, Clerys, Centra, Pigsback, Postbank and Stena Line all fell foul of the security breach. SuperValu fell hardest. Seventy thousand of its most loyal customers – those who had booked holiday breaks with the retailer – have had their credit-cards details stolen.
The Office of the Data Protection Commissioner has launched an investigation. It says key questions it has asked Loyaltybuild remain unanswered: how the breach was allowed to happen and why Loyaltybuild stored for years the three-digit security code found on the back of all cards, in breach of data-protection rules.
The Garda is investigating too, but sources hold out little hope that the criminals will be brought to court, as all the signs are of a cyberattack from outside the State. This would make it difficult, if not impossible, to bring anyone to justice.
Last month Brian Honan was appointed special adviser on internet security to Europol’s European Cybercrime Centre after being at the vanguard of the fight against hackers in Ireland for nearly 20 years. He has been following developments this week with a keen eye.
“You do have the archetypal hacker, the kid in his bedroom, testing systems for kicks, but this seems more organised,” he says. He suggests the attack was done not for kicks but for cash. “There is an electronic ecosystem for the criminal underground, and there are people who spend their time looking for weaknesses and vulnerabilities, which they can then sell on.”