Number hit by Clare cyber attack climbs to 1.5 million

Credit card details, telephone numbers and home addresses taken

The Loyalty Build premises on Station Road, Ennis, yesterday. Photograph: Eamon Ward

The Loyalty Build premises on Station Road, Ennis, yesterday. Photograph: Eamon Ward

Wed, Nov 13, 2013, 07:35

Up to 1.5 million people are now known to have had personal information including credit card details, telephone numbers and home addresses compromised by a major security breach at a Co Clare-based company. The firm manages customer loyalty schemes on behalf of retailers and service providers across Europe.

A Garda investigation has been launched into what is becoming one of the worst data breaches in the history of the State.

All told, the credit card details of 376,000 people across Europe – including almost 70,000 in Ireland – have been seriously compromised after criminals successfully targeted the Loyaltybuild company and exposed enormous weaknesses in its security systems.

A further 150,000 people have had their credit card details potentially compromised while the names, addresses, telephone numbers and emails of more than 1.1 million customers of companies who were doing business with Loyaltybuild were also taken in the cyber attack.

The company had lodged a formal complaint to gardaí over the issue and two investigators from the office of Data Protection Commissioner Billy Hawkes spent yesterday going through the company’s computer systems. Mr Hawkes confirmed that financial information had been stored in unencrypted form, along with the three-digit security code printed on customers’ cards.

The commission said last night it had been able to establish the attack was carried out by external sources but stressed it was too early to say from where it had come. It is trying to establish is why credit card information had been retained by Loyaltybuild and a follow-up site visit is to take place.


Warning
The commission reiterated its warning to customers to be vigilant in relation to their accounts and to report any suspicious transactions to their card company.

People who feared they may have fallen victim to the attack were also told to be vigilant in relation to suspicious communication of any kind which they receive in the days ahead.

Some 62,000 Supervalu customers who bought its Getaway Breaks between January 2011 and February 2012 have been hit as have 8,000 who took advantage of Axa’s leisure break rewards programme.

Loyaltybuild lodged a formal complaint to the Garda yesterday as two investigators from Mr Hawkes’s office were sent to the company.

Mr Hawkes also suggested Interpol may have to be called in and data protection commissioners in the countries where Loyaltybuild has contracts have been alerted as have relevant banks and credit card companies.

The company runs special offers and incentive schemes for major retailers, utilities and service providers in the UK, Ireland, Scandinavia and Switzerland.

Concern is mounting that those responsible for the attack now have the information they need to use customers’ credit cards.

Mr Hawkes said that the financial information had been stored in unencrypted form, along with the three-digit security code printed on customers’ cards.

His office said last night that it had been able to establish the attack was carried out by external sources but stressed that it was too early to say where it had originated.

Garda sources have warned that any investigation is likely to be considerably hampered if those responsible are based outside of this jurisdiction.