Now banks admit hackers took money from their customers
AIB and Permanent TSB admit customers fallen victim to fraudulent transactions
Published 14/11/2013 | 02:00
TWO major banks have confirmed that their customers have fallen victim to fraudulent credit card transactions, following the biggest cyber attack in the history of the State.
It is the first time that evidence of financial fraud has emerged following the significant hacking of a customer database at the Irish marketing and travel business Loyaltybuild.
Despite cyber criminals having accessed details of hundreds of thousands of credit card holders last month, it was initially believed that there had been no attempts to obtain cash.
But now AIB and Permanent TSB have both confirmed that a number of customers have fallen victim to fraudulent transactions on their credit cards.
As the scale of the crisis continued to escalate, it emerged that 6,700 customers of Electric Ireland were also on the list of credit card users whose details had been compromised
In total, it is estimated that the hacking attack in mid-October exposed either the financial details or personal information of 1.1 million people to online raiders.
Loyaltybuild said more than 376,000 people on its systems had had their credit card details stolen and the financial details of an additional 150,000 clients had potentially been compromised.
The information relating to the other clients included personal details – such as names, addresses, phone numbers and email addresses – but not financial details.
While it was known that the information had been compromised, there was no evidence of the criminals attempting to use it until now.
The full scale of fraudulent activity has not yet been determined, but senior executives at both AIB and Permanent TSB have confirmed to the Irish Independent that at least "dozens" of customers had been affected.
These customers are currently being contacted, said the two banks.
Meanwhile, Bank Of Ireland and Ulster Bank said that they were still assessing the situation and that there were no clear indications yet of fraudulent activity associated with the hacking attack.
While the scale of the cyber
attack is still being assessed, it is known that more than 80,000 Irish people had their financial details compromised when hackers attacked Ennis-based Loyaltybuild.
The company has run rewards schemes for companies in Ireland, the UK, Scandinavia and Switzerland and serviced firms such as SuperValu, Axa and the ESB.
While the details of more than 80,000 cardholders are being examined for possible fraud, it has emerged that the details of another 150,000 card holders could also have been breached.
The Irish Independent understands that even more Irish firms have been affected and are set to be revealed by LoyaltyBuild and the Data Protection Commissioner.
It was confirmed that 6,700 customers of Electric Ireland were also hit.
A statement yesterday from the Data Protection Commissioner, confirming this, forced the ESB to row back on a previous statement, made to this newspaper, that it believed none of its customers were affected.
The affected data in this instance included the names, addresses, phone numbers and email addresses for customers who had booked discount hotel breaks with ESB managed by LoyaltyBuild between 2007 and 2008.
It is understood that financial data was not involved in the breach relating to ESB customers.
Investigations are being spearheaded by the Garda Bureau of Fraud Investigation, backed up by the Garda Computer Crime Investigation Unit.
The Data Protection Commissioner, Billy Hawkes, is also investigating.
Garda Commissioner Martin Callinan said the likelihood that those behind the hacking were foreign criminals was putting an extra strain on fraud squad detectives.
"That adds to the degree of difficulty and the complexity of the investigation," he said.
Mr Callinan warned that companies had a responsibility to have powerful enough firewalls in place to prevent criminals from hacking into their systems and into people's personal details.
"It's important that your personal details are kept as private as they possibly can be and companies have a responsibility as well," he said.
More than 70,000 customers of the supermarket SuperValu, including more than 6,000 in Northern Ireland, and more than 8,000 at the insurance firm Axa were hit.
Stena Line customers in Northern Ireland may also be affected.
The Irish Payment Services Organisation said that most of the cards involved in the data breach would have expired or been replaced since the customers handed over their details.
It advised cardholders to monitor their accounts on a daily basis, either online or over the phone, and if they noticed any suspicious activity they should report it to the card issuing bank.
Ipso also advised customers of Loyaltybuild that they will be reimbursed if any fraud is found on their accounts.
"At this time, those cardholders, who believe they may have been affected, should have little cause for concern", the organisation added.
AIB has said it began replacing Laser and Maestro Cards with Visa debit cards in August 2012, making it unlikely that these customers were affected.
"The advice to credit card customers is to be vigilant in their account reconciliation" said a spokesman for the bank.
"If the customers identify any unusual activity on their card, they should contact AIB Card Services."
As the repercussions of the online breach continue to grow, security experts are warning of a heightened risk of foreign cash withdrawals, identity theft and email 'phishing' attacks.
More than 40pc of IT managers in Irish companies admitted to data breaches in their workplace in a survey this year by the Association of Data Protection Officers and the Irish Computer Society.
This survey of 300 managers was a warning sign for the current data breach, even though such problems could cost companies millions, they noted.
The increase in mobile devices also points to the need for greater emphasis on data protection.
Adrian Weckler and Aideen Sheehan