Caroline O’Doherty reports: SuperValu has resumed its leisure breaks scheme with the company that lost the personal details of more than 60,000 of its customers. The supermarket chain got back into business with Loyaltybuild after what it described as “a long period of consultation, during which Loyaltybuild made a significant investment updating its security features to the highest possible standards”. Loyaltybuild said it had spent more than €500,000 upgrading its computer systems since the breach and now had the “gold standard in global security regulations”. The company has also advertised for a certified ethical hacker — a systems analyst with specialist training in legally breaking into computer systems — to help find weak spots in its IT security. Read more on Irish Examiner. SuperValu was just one of LoyaltyBuild’s customers affected by the hack. Total numbers for their breach were estimated at over 500,000. See previous coverage on this blog.
Elaine Edwards reports: The company at the centre of the biggest data breach ever dealt with in Ireland has recommenced trading and said it had invested €500,000 in new security systems after the criminal attack last year. Ennis-based Loyaltybuild, which provides services to companies running holiday break promotions, was hit by the breach late last year and it emerged the personal details of about 1.5 million people across Europe were compromised. Read more on Irish Times. Previous coverage on this blog linked from here.
Conor Pope reports: Customers of a further eight companies including Clerys, Centra, Postbank and Pigsback have had their personal information stolen in the data breach at Co Clare-based company Loyaltybuild. Credit card information of customers of Clerys’ loyalty travel scheme as well as personal details including names, addresses, phone numbers and email addresses are now know (sic) to have been stolen in the cyber attack. Non-financial information of customers of Centra, vouchers website PigsBack, Postbank Ireland and a small Ennis orthodontics company called TOG were also compromised. Credit card details of Stena Line customers in Northern Ireland have also been compromised as have a small number of credit card details and the personal data of customers of Northern Unislim. Read more on Irish Times. Since readers of this blog already knew about Supervalu, Stena Line, Axa Insurance, and ESB, it’s actually five more firms that we’re first learning about.
Expect more clients of Loyaltybuild to be named tomorrow as victims of the firm’s data breach. It appears that Loyaltybuild just discovered last night that even more companies were affected and needed to notify them first before releasing the information publicly.
Loyaltybuild really needs to get ahead of the story instead of allowing the media to leak out each new part of its breach. Now we learn that the Electricity Supply Board (ESB) in Ireland was also impacted. The Irish Times reports: The personal information of about 6,700 ESB customers is now known to have been included in a massive data breach affecting the Loyaltybuild company in Ennis, Co Clare. Electric Ireland confirmed it had been informed by Loyaltybuild that the data breach had affected ESB customers who participated in a loyalty scheme run by the ESB in 2007 and 2008. In total, about 1.5 million people across Europe have had their personal details compromised in the breach, including 80,000 Supervalu customers and 8,000 Axa customers. In an update this evening, the Data Protection Commissioner said the latest affected data related to customer contact details of approximately 6700 ESB customers including name, address, phone number, email and a booking reference. “ It is understood that financial data are not involved,” the office said.. Electric Ireland will be notifying affected customers. […] And of course, with each new story, they repeat the total of 1.5 million and create yet one more unflattering Google result if any future clients were to Google search for Loyaltybuild.
The Office of the Data Protection Commissioner (ODPC) has received a preliminary report on the findings of its inspection team following an inspection today at Loyaltybuild, the company at the centre of the recent data breach. The inspection team confirmed the extent of the breach in which the full card details of over 376,000 customers were taken of which over 70,000 were Supervalu Getaway customers and over 8,000 were AXA Leisure Break customers. The details of an additional 150,000 clients were potentially compromised. The inspection team also confirmed that name, address, phone number and email address of 1.12m clients were also taken. The initial indications are that these breaches were an external criminal act. The ODPC will assess fully the findings of the inspection and will be making a number of recommendations to Loyaltybuild. A follow up inspection will also be carried out. The ODPC reiterated the importance of the responsible parties notifying all of the clients affected in addition to the financial institutions which issued the affected cards. The ODPC continues to warn customers to be vigilant in relation to their accounts and to report any suspicious transactions to their card company. Clients should also be vigilant in relation to suspicious communication of any kind which they receive.
Conor Pope reports: SuperValu has been forced to contact thousands of customers who have bought its “getaway breaks” after a security breach at the company that oversees the scheme left sensitive financial data potentially compromised. The “getaway breaks” vouchers are a key loyalty reward programme run by the US-owned company Loyaltybuild, which is based in Co Clare. It is reviewing the security of the personal and payment card information held on its booking system. “This review is necessary as Loyaltybuild has advised its client base in Ireland that its system may have been compromised by a third party,” said SuperValu in a statement. “This issue is exclusive to ‘Getaway Breaks’. It does not impact SuperValu’s other websites or any other customer transactions by payment card,” a spokesman said. Read more on Irish Times. The SuperValu.ie site currently has this notice on its “Getaway Breaks” page: We are experiencing technical issues and we are hard at work to bring SuperValu Getaway Breaks and Bonus Rewards back online. Thank you for your patience, we apologise for any inconvenience caused. I hate when sites suggest they are down for “maintenance” or a “technical” problem when they know they’re looking into a security breach. But then, I guess under Ireland’s laws, they don’t have to post anything on their web site about this, and reportedly, the data were encrypted and they have no evidence of acquisition or misuse. So…. Update 1: Today’s RTÉ reports that more than 30,000 customers were affected by this breach. They report that another Loyaltybuild client, Axa, also had customers affected (approximately 4,000). Update 2: And now it’s more than 140,000 who have personal and payment card info at risk, including 40,000 Irish customers of Supervalu, Axa, and Stena Line, and 100,000 consumers in Norway, Italy, and Sweden. Loyaltybuild posted the following statement on their site yesterday: On Friday 25th October our data security team identified a suspected system breach. From the moment Loyaltybuild discovered the breach we took immediate action to rectify the situation and protect stored data. We immediately engaged the services of a firm of leading, international, online security experts. They are conducting a forensic investigation to help us identify whether any of our stored data was compromised, and, if so, to what extent. As of 1pm today the forensics team reported there had been no signs of person or payment databeing extracted or compromised, but the forensic examination is ongoing. The Irish Data Protection Commissioner and all affected clients have been informed of the suspected breach. Unfortunately, the threat of cyber-attacks is increasingly becoming a reality of doing business today. To this end, we employ systems which operate to the highest level of encryption and security standards and we constantly monitor and test our systems. To minimise risk we operate a policy of maintaining as little personal information as possible; credit card numbers are encrypted and we deliberately do not store CVV numbers – the card verification value – which is a 3 digit number found on the back of a credit / debit card. All payment details are deleted 90 days after a consumer has travelled. We are working around the clock with our security experts to get to the bottom of this and to further enhance our security. As soon as we have more information from the forensics team we will publish an update. We regret any inconvenience caused and are taking every necessary action to rectify this issue. For customer queries please call the Loyaltybuild Helpline on 065 686 5200. The helpline is open Monday to Sunday from 9am to 8pm. Update 3: SuperValu has revised its estimate upwards to report that 62,500 of their customers may have been affected. Update 4: Now the total number across EU is estimated at 500,000
Elaine Edwards reports: Action is needed to tackle deficiencies in how the public service protects the personal data of citizens before such action is triggered by a “crisis”, the Data Protection Commissioner has said. Billy Hawkes was speaking today on the publication of his annual report for 2013, which is his final annual report in the office. He retires in August. Read more on The Irish Times. A press release issued today by the Data Protection Commissioner’s Office summarizes some of the key findings: Complaints: During 2013, the Office opened 910 complaints for investigation. Complaints from individuals in relation to difficulties gaining access to their personal data held by organisations accounted for almost 57% of the overall complaints investigated during 2013. With 517 complaints in this category, this represents a record high number of complaints concerning access requests. The annual report draws particular attention to issues which we have identified in the course of our investigations of access request complaints. Complaints in 2013 about unsolicited marketing communications under the Privacy and Electronic Communications Regulations are at a similar level to recent years with a total of 204 opened for investigation. The annual report includes case studies of a number of specific investigations including: The prosecution in District Courts across the State of a number of companies for unsolicited marketing offences. Unlawful accessing of Departmental records by an official of the Department of Social Protection for their own personal use. The disclosure by Carphone Warehouse of a customer’s details to strangers and the distressful consequences for the customer concerned. Data Security Breaches: In 2013, the Office dealt with 1,577 Data Security Breach notifications. For the second year, the annual report contains a selection of case studies regarding a number of Data Security Breach investigations, including: Report of investigation into data security breach at Loyaltybuild Ltd. The taking of a client list by an ex-employee to a new employer, which is emerging as a recurring issue. The first notifications by telecommunication companies via the new online reporting mechanism laid down in European Commission Regulation 611/2013. Breach reports by the private sector were up in 2013 compared to 2012 (246 vs. 220), but down for the public sector (61 vs. 84). You can access the full report here.
Over on Twitter, Brian Honan just noted that two infosec stories led the evening news in Ireland tonight. One of them surely must be the Loyaltybuild/Supervalu breach, reported previously on this blog. I suspect this is the other one: The Road Safety Authority has confirmed that a data breach has occurred on the website for the new National Driver Licence Service. The breach occurred on the Contact Us section of the website, which failed to refresh and retained queries, allowing other users to see that information. The RSA says 721 people have been affected but that they do not believe there was any financial information submitted through the website. It says it is currently reviewing each case and contacting the individuals involved to advise them of the breach. Read more on RTÉ.
SuperValu has revised its assessment of the number of customers affected by a recent breach involving its vendor Loyaltybuild. It now reports that 62,500 customers may have been affected. The estimate for Axa Insurance customers now affected has also been increased to 8,000. The number is now up to 500,000 across Europe, as other Loyaltybuild customers are also affected, although I don’t know which ones (yet), although we know that Stena Line customers were also affected.