Ireland's Office of the Data Protection Commissioner (ODPC) recently announced that a security breach at loyalty marketing company Loyaltybuild exposed the full card details of more than 376,000 customers, of whom over 70,000 were Supervalu Getaway customers, and over 8,000 AXA Leisure Break customers.
According to the ODPC, the details of an additional 150,000 clients were potentially compromised, and the names, addresses, phone numbers and e-mail addresses of 1.12 million clients were also taken.
"The initial indications are that these breaches were an external criminal act. ... The ODPC continues to warn customers to be vigilant in relation to their accounts and to report any suspicious transactions to their card company," the ODPC said in a statement.
In a statement on its Web site, Loyaltybuild noted, "We are working around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers, who are of paramount importance to us. From the moment we first detected a suspected security breach on Friday, October 25th we immediately engaged the services of an expert forensics security team and have worked tirelessly to try to rectify this situation."
The AXA Leisure Break Web site is currently offline. Supervalu Getaway's Web site is also offline, replaced by a statement explaining, "The Getaway Breaks booking system will remain off-line, pending a thorough investigation of the Loyaltybuild system."
"It’s unclear why Loyaltybuild stored the compromised credit card information in the first place," Neohapsis Labs technical director Gene Meltser noted in a statement. "In general, loyalty based programs function by rewarding users for specific purchasing activity, and to do that, loyalty rewards programs only need to correlate a member’s account information, such as a name, to purchasing activity records related to the reward in question. In an overwhelming majority of cases, it is unnecessary to store detailed credit card data, and in absolutely all cases it is prohibited to store the 3 or 4 digit codes, or CVV values off the credit card. To store this data unencrypted would not only be fundamentally prohibited under PCI-DSS requirements, but also demonstrating considerable negligence in protecting customer and payment data."
Photo courtesy of Shutterstock.