Hacking heist will cost more in reputations than stolen money
Bank policies mean most customers not out of pocket, writes Adrian Weckler
AS the worst week in the history of Irish hacking closes, thousands of Irish people are left wondering whether their credit or debit cards remain at risk. Should they cancel accounts? Can they safely use them again? And have we heard the last of the Loyaltybuild hacking victims?
As the Garda Bureau Of Fraud Investigation continues to sift through the rubble of the hacking heist, it's worth recapping how all of this happened and what the consequences might be.
An Ennis-based company called Loyaltybuild got hacked in October. Loyaltybuild runs customer loyalty campaigns for retailers like SuperValu, Axa, the ESB and other organisations. It had lots of these companies' customer credit and debit card details stored and these were stolen.
Of the Irish people affected (Loyaltybuild has lots of continental European customers), SuperValu customers were by far the worst hit. Some 70,000 SuperValu customers' credit and debit card details were exposed.
The next worst was Axa Insurance, with 8,000 customers. Then the ESB (Electric Ireland) with 6,700 customers.
After that, several companies had smaller numbers of customers exposed. These included Clerys, PostBank, Centra, Unislim and others. To add to this, at least 1.1 million people – mostly European customers – had non-financial personal information exposed in the attack. This included names, address, and other data.
All of this actually happened in October. But the company, which was set up by three Irish men but is now owned by US firm Affinion Group, only notified the gardai and the Data Protection Commissioner about it last week.
Why was the hacking attack successful? In part, it was because the data was unencrypted. In plain English, that means that once the hackers 'got in' to the company's computer system, they were able to read all of the sensitive financial information without having to work any harder. This element, revealed by Data Protection Commissioner Billy Hawkes, is likely to provide a focus for the investigation being conducted by the Data Protection Commissioner.
At this point, the gardai are suggesting that the attack was perpetrated by a foreign criminal gang. If this is the case, and if the gang is based in a former Soviet country, the chances of prosecution are slim.
Is anyone out of pocket as a result of the breach? Probably not. Quite apart from the general banking policy of reimbursing victims of credit card fraud, most of the credit card details exposed related to transactions that happened over a year ago. In some instances, such as the ESB, it was over five years ago. That means that many of them will have expired by now and can't really be exploited any more. This goes double for the 26,000 debit cards (Laser, Maestro, Visa Debit) exposed, which are replaced more frequently.
That said, banks have reported instances – or attempted instances – of fraudulent activity associated with the credit card customers' accounts. Two banks (AIB and Permanent TSB) described "dozens" of incidences of this. But they can't say for certain to what extent such fraud is linked to the heist.
What is not in question is the general safety of SuperValu (or other companies') customer credit card details for anything other than campaigns operated by Loyaltybuild. In other words, if you are a regular SuperValu customer who pays for groceries via credit or debit card, this has nothing to do with your card account. It only affects people who booked so-called 'Getaway Breaks' with the retailer.
But for those who fall into this category, the general advice is to keep an eye on your credit card bill. What you are likely to see, if an unauthorised transaction turns up on your statement, is one of a number of things. Typically, it might be a cash withdrawal from the other side of the world (although banks would probably catch this in the act or phone you to validate the transaction).
Some security experts suggest that absolute prudence would be served by cancelling the credit card. However, others dispute this approach. "The indications that we have received from banks are that there will be very limited fraud arising from this," said Una Dillon, head of Ireland's credit card industry body, the Irish Payments Services Organisation.
"Cancelling your credit card probably won't make a difference. Also, if you took all of the cards we're talking about, the banks couldn't physically replaced them before Christmas."
The company at the centre of the affair, Loyaltybuild, says that there are no more company names to add to the list of hacking casualties. But the entire episode should serve as a warning to retailers to make sure their systems are fully compliant and secure.