They signed up to receive discounts on vacation travel and other perks. Instead, more than 1.5 million Europeans who had enrolled in customer-loyalty programs learned this week that their personal data, including credit-card details in some instances, had been stolen in a cyber attack on an Irish company they’d never heard of.
Loyaltybuild, a firm in County Clare, Ireland, that manages loyalty programs for merchants in five European countries, acknowledged on Nov. 11 that hackers had stolen data on people who redeemed awards through websites it runs. In about 500,000 cases, the data included credit card numbers and security codes that were stored without encryption.
Customers are being urged to check for suspicious transactions on their credit cards as far back ago as 2011. “The criminals involved have all the information needed to use the credit cards of the people concerned to make purchases,” Irish Data Protection Commission Billy Hawkes said Nov. 12 on the RTE television network.
Loyaltybuild’s clients include Irish supermarket chain SuperValu, AXA Insurance Ireland, the Co-operative Food in Britain, and retailers operating under the Coop brand in Scandinavia and Switzerland. SuperValu said it had suspended the rewards program where the data breach occurred.
The incident underscores the risks involved when merchants pass along customer data to contractors and other outside parties, says Brian Honan of BH Consulting, an information security company in Dublin. “While SuperValu and other companies have outsourced their loyalty schemes, they can’t outsource the responsibility” for protecting customers’ data, he says.
If unencrypted data were stored as alleged, that would violate European Union and Irish data-security laws, as well as security standards imposed by the credit card industry, Honan says.
Steve Ward, vice president of online-security consultant Invincea in Fairfax, Va., says that if such an attack occurred in the U.S., the merchant sponsoring the loyalty program would generally be held responsible for the cost of credit monitoring and any damages incurred by participants. The merchant, in turn, could seek damages from the outside contractor.
In one sense, customers of the Loyaltybuild-run programs were lucky: The problem was discovered quickly. A Loyaltybuild spokeswoman tells Bloomberg Businessweek that the breach took place in October and was first detected on Oct. 25. Most such breaches, Ward says, “are discovered months and months after they occur. The vast majority aren’t even discovered by the targeted entity. Often someone just stumbles upon it.”