Thursday 21 September 2017

Exposed: Here's exactly what happened, and why

IT was the week when hacking entered the lives of ordinary Irish people. Almost 90,000 Irish credit and debit card holders had their accounts exposed, while at least 1.1 million Europeans – including many Irish – had other personal information stolen. Here's a quick refresher of what happened and why.

What exactly happened?

An Ennis-based company called Loyaltybuild got hacked. Loyaltybuild runs customer loyalty campaigns for retailers like SuperValu, Axa, the ESB and other organisations. It had lots of these companies' customer credit and debit card details stored. These were stolen.

How many people were affected?

Of the Irish people affected (Loyaltybuild has lots of continental European customers), SuperValu customers were by far the worst hit: 70,000 SuperValu customers' credit and debit card details were exposed. Next worst was Axa, with 8,000 customers. Then the ESB (Electric Ireland). After that, several companies had smaller numbers of customer exposed. These included Clerys, PostBank, Centra, Unislim and others.

How bad was it? Has anyone lost any money?

At this point, probably not. Two of the four main banks (AIB and Permanent TSB) have said that they've detected some fraudulent activity among the credit cards exposed. But they can't say for certain to what extent such fraud is linked to the hacking heist. Even if it is, they will automatically reimburse anyone affected (which is a standard policy from banks and credit card issuers in the case of fraud).

Are the cards still at risk? If so, how many?

Generally, most of the credit card details exposed related to transactions that happened over a year ago. In some instances, such as the ESB, it was over five years ago. That means that many of them will have expired by now and can't really be exploited any more. This goes double for the 26,000 debit cards exposed, which are replaced more frequently.

What will happen to Loyaltybuild now?

The company has ceased taking bookings for now. Separate investigations by the Garda Bureau of Fraud Investigation and the office of the Data Protection Commissioner are currently under way. One focus might revolve around why the credit card data was kept so long after initial transactions and why all of the details remained unencrypted.

How common is this kind of attack?

While there are consistent hacking attempts all year round, this kind of casualty rate is rare. But a major survey of 300 Irish IT managers from the Irish Computer Society this year revealed that over 40 per cent of Irish firms admit to more than one data breach each year. But few of them would be as serious as this one.

Sunday Independent

Also in Business