Over 376k credit cards compromised in LoyaltyBuild breach

Ireland-based marketing company LoyaltyBuild has suffered a breach that resulted in the compromise of full card details of over 376,000 customers, and the name, address, phone number and email address of 1.12 million customers, the Office of Ireland’s Data Protection Commissioner has revealed to the public.

“The initial indications are that these breaches were an external criminal act,” they noted. “The ODPC will assess fully the findings of the inspection and will be making a number of recommendations to Loyaltybuild. A follow up inspection will also be carried out.”

LoyaltyBuild partners with companies to create, manage and deliver customer loyalty programmes, and among those who had their card details stolen were over 70,000 customers of supermarket chain SuperValu’s Getaway Breaks program, and over 8,000 customers that participated in the Leisure Break reward program of the insurance company AXA.

Both of the above mentioned companies have temporarily put the programs’ booking sites offline, and have advised anyone who has booked a Getaway / AXA Leisure break recently to “review their accounts and report any unusual activity or unsolicited communication relating to this issue to their financial institution.” They both also mentioned that their other websites or any other customer transactions by payment card were impacted by the breach, and have begun sending out notices about the breach to affected customers.

LoyaltyBuild has stated that the system breach was discovered last month, and that they have been working around the clock with their security experts to get to the bottom of matter.

“From the moment we first detected a suspected security breach on Friday, October 25th we immediately engaged the services of an expert forensics security team and have worked tirelessly to try to rectify this situation,” they noted. “The DPC and the Garda?­ will be kept informed of any further developments.”

Irish Examiner reporter Mike Harris posits that due to the fact that the compromised data was historical (collected between January 2011 and February 2012), it seems likely that it wasn’t sitting on the main credit card system, but was probably dumped outside of the protected database by an employee for reasons unknown. LoyaltyBuild has, so far, declined to share more details about how the breach and the data exfiltration happened.

Users who have had their card data stolen would do well to check their accounts and keep an eye on their bank statements for the foreseeable future. The hackers have stolen all the information needed to clone the credit cards and use them to make purchases, but it’s also possible that the information will be sold to other criminals, and used months from now. It’s also possible that they will try to impersonate LoyaltyBuild via email in order to make affected users share additional sensitive data.