Gardaí, inspectors from the Data Protection Commissioner, and two sets of private security consultants, are investigating the security breach at Loyaltybuild, which is believed to have been a deliberate, criminal attack.
The Co Clare-based firm, which operates discount hotel break schemes as loyalty rewards for customers of SuperValu and Axa, revealed last week that 40,000 people in this country were affected, but called in gardaí this week after consultants doubled that number.
The total so far known to be affected across Europe, where the company has multiple clients, has reached 1.6m, 376,000 of whom have had personal and full card details stolen, 150,000 who had personal and some card details stolen, and 1.12m who had personal details only stolen.
Data Protection Commissioner Billy Hawkes sent inspectors to the company yesterday after receiving Loyaltybuild’s update on the breach, which he described as “very serious”.
He said the hackers had names, addresses, passwords, credit and debit card numbers, expiry dates, and credit verification values (CVVs). “They would have all the information they would need to impersonate someone and make a purchase.”
Among the questions inspectors will ask is why so much data was stored for so long in unencrypted form and not wiped out after payment was processed.
Mr Hawkes also wants to know what safeguards against data theft were in place, why he was initially told that CVV numbers were not stored, and why it took three weeks from the discovery of the breach to ascertain its scale.
Details of over 70,000 SuperValu Getaway Breaks customers, 8,000 Axa Leisure Break customers, and around 50 Stena Line customers were accessed. Customers were advised to check their bank accounts for any unauthorised transactions since Jan 2011.
SuperValu and Axa also warned customers could be targeted by scam artists claiming to be from those companies or Loyaltybuild, seeking details as part of a fake security check. SuperValu has hired IT experts to carry out their own inquiry.
Peter Steenstrup, managing director of Loyaltybuild, said he was shocked at what had happened and had brought in IT experts to investigate. “We feel deeply sorry for this situation.”
Dermott Jewell of the Consumers’ Association of Ireland said online companies handling financial data should be regulated by the Central Bank. “The whole system has broken down here.”
Calls were also made for banks to waive fees for customers needing printouts of account statements going back to Jan 2011 as charges of up to €3.80 per page are being applied.
The commissioner also confirmed yesterday his office was probing an apparent glitch in the National Driver Licence Service website, which allowed licence applicants’ contact details to be viewed by other applicants.