Electric Ireland confirmed that non-financial data for 6,800 customers who availed of a discount hotel breaks promotion between 2007 and 2008 may have been compromised.
Electric Ireland — or ESB Customer Supply as it was known — had used Loyaltybuild so customers could book the breaks through the Co Clare company’s contact centre and website.
Last week, it emerged that the payment card details of up to 500,000 people across Europe may have been compromised by a data breach at Loyaltybuild, with the names, addresses, phone numbers, and email addresses of 1.12m clients from across Europe also taken.
The data breach, which appears to have taken place in mid-October, has already affected about 80,000 customers of Supervalu’s Getaway and Axa’s Leisure Break loyalty schemes.
The Office of the Data Protection Commissioner said its investigation into the breach was continuing and warned of possible “unsolicited communications” regarding the Electric Ireland customer information.
In a statement, Electric Ireland said: “ESB is taking this issue extremely seriously and is currently in contact with Loyaltybuild to obtain full details in relation to the data breach, and is liaising with the Data Protection Commissioner’s office.”
It said it was seeking clarification as to why customer data from 2007 was retained and said customers affected would be contacted. Anyone with concerns can contact 1850 372 372 for information.
The Irish Payment Services Organisation (IPSO) sought to temper some of the concern over the Loyaltybuild data breach by indicating that the Irish card numbers affected dated from Jan 2011 up until Feb 2012 only — meaning many have since expired or been replaced.
The IPSO said initial results showed no fraud trends attributable to the data breach, meaning there was “little cause for concern”.
But Daragh O’Brien of data experts Castlebridge Associates said while this “mitigated” some of the damage, there were still serious issues over why customer data had been held on file way beyond the timeframe for any transactions.
“Data protection rules are not a burden on companies, they are a defence,” he said, adding that the breach also resulted in the widespread disclosure of consumers’ contact details which could be sold on the information black market.
Garda Commissioner Martin Callinan yesterday confirmed that the fraud squad is to lead the Garda probe into the security breaches at Loyaltybuild, which gardaí believe was a hacking operation probably launched from outside the country.
Speaking to reporters at Templemore Garda College, Mr Callinan said a company such as Loyaltybuild had responsibilities and are supposed to have sufficient firewalls in place.
Mr Callinan said: “We will be looking at all of this in our computer crime investigation unit, with a view to trying to bring matters to a successful conclusion. The fraud squad will be taking the lead role in the investigation.”