THE company at the centre of a “very serious” data protection breach, relating to more than 1.1 million people, has declined to comment on the future of 50 jobs in Clare.
Loyaltybuild, an international firm based on Station Road in Ennis, was the subject of what it described as “a sophisticated criminal attack”, which resulted in the full payment card details of more than 376,000 customers being taken.
It also involved the details of an additional 150,000 clients being potentially compromised and the names, addresses, telephone numbers and email addresses of 1.12 million clients throughout Europe also being taken.
Management at Loyaltybuild were unavailable on Wednesday to discuss the breach and a spokesperson for the firm declined to address questions in relation to the company’s future at this time.
Gardaí have confirmed that the breach has been reported to the Garda Bureau of Fraud Investigation.
Separately, the Office of the Data Protection Commissioner has launched an investigation into the breach, which it is understood happened in mid-October.
Loyaltybuild delivers customer loyalty programmes on behalf of clients, among them SuperValu Getaway Breaks and AXA Leisure Breaks. On Wednesday afternoon, a further company, Electric Ireland, confirmed that up to 6,800 of its customers’ details had also been compromised.
Speaking to The Clare Champion on Wednesday, the deputy data protection commissioner, John O’Dwyer said he was “very concerned about the data and how it has been exposed”.
Inspectors from the commission were in Ennis on Tuesday as part of the investigation, where they made some oral recommendations to Loyaltybuild. Mr O’Dwyer said further recommendations are likely to follow but he could not go into details in relation to these.
In a statement issued last week, Loyaltybuild said, “all payment details are deleted 90 days after a consumer has travelled”.
However, both SuperValu and AXA have said that the company advised them “there is a high risk” that card details used to pay for breaks between January 2011 and February 2012 were accessed in the October 2013 breach.
“Under our acts, a company shouldn’t be maintaining any data, whether it is card payment data or any personal data in relation to individuals, where it is not justified,” Mr O’Dwyer said.
“In certain circumstances, card data may need to be detained for a period of time but we would see that as a short period of time. We have issued some guidelines on this and the maximum period we would see would be up to 13 months but we would envisage that, in most cases, it would be a much lesser time than that,” he added.
“Normally the card details are held to verify it and then when the break or whatever transaction takes place, there may be the odd occasion where there would be a possibility of a refund or, we’ll say in the case of a leisure break or something like that, where someone didn’t turn up, you may only be charging them for the first night’s accommodation. So you would need to wait until such time as the break had taken place to be able to verify that people had used the opportunity to take the break and if they were due a refund, you would do that. Beyond that, they shouldn’t be retaining any information,” Mr O’Dwyer continued.
In answer to a query submitted by The Champion in relation to why Loyaltybuild retained the credit card details of customers affected by the breach, a spokesman said, “This is an ongoing investigation involving the DPC and the gardaí. As it may be subject to a criminal investigation, it would be inappropriate to comment further at this time.”
Approximately 8,000 AXA Leisure Break customers have had their data compromised. A spokesperson for AXA stressed the breach is “exclusive to AXA Leisure Breaks and does not impact AXA Ireland’s other online websites or any other customer transactions by payment card”. The company has promised “a root and branch review of the Loyaltybuild system”.
SuperValu are contacting Getaway Breaks customers to tell them there is “a high risk that an unauthorised third party accessed the details of payment cards used to pay for Getaway Breaks between January 2011 and February 2012. This time period is based on Loyaltybuild’s ongoing investigation and any updates or new information received will be immediately communicated to customers.”
The company has advised that the data leak is exclusive to its Getaway Breaks and does not impact on the rest of its websites.
Stena Line confirmed that it worked on “a small-scale, tactical hotel promotion with Loyaltybuild, which has now finished”.
On Wednesday afternoon, a further company, Electric Ireland, confirmed up to 6,800 of its customers’ details had also been compromised.
Between 2007 and 2008, ESB Customer Supply (now Electric Ireland) engaged Loyaltybuild to manage a number of marketing campaigns whereby customers could avail of discounted hotel breaks.
Customers booked these breaks though Loyaltybuild’s contact centre and website. It was notified on Wednesday that names, addresses, telephone numbers and email addresses, but not credit card or other financial information of any description, may have been compromised.
Those affected are advised to check their bank statements for unusual activity since mid-October and to treat any unsolicited communication they receive relating to this issue claiming to represent AXA Leisure Breaks, SuperValu Getaway Breaks or Loyaltybuild with extreme caution.
Loyaltybuild has said it “takes data security seriously and our clients’ data is critical. It is for this reason that our websites are not currently running. We are working around the clock with experts both inside and outside of our business to do everything we can to ensure that this does not happen again”.