Up to 43,000 customers could be hit after loyalty card cyber attack
UP to 43,000 customers who booked getaway breaks could be affected by a security breach at a company which operates a loyalty scheme on behalf of major retailers.
Credit and debit card details belonging to customers of Super Valu, Axa and Stena Line may have been compromised following a cyber attack at a Co Clare firm.
LoyaltyBuild, based in Ennis, operates loyalty schemes on behalf of the three companies and said that customers who booked breaks in the last 90 days may be affected.
However, it stressed that CVV (Card Verification Value) numbers – generally needed to complete online transactions – were not stored.
Some 39,000 Super Valu customers from the Republic and Northern Ireland booked breaks, another 50 with Stena Line and 4,368 with insurance giant Axa, it said.
Another 102,000 customers in Norway and Sweden may also be affected.
Suspicion about a possible breach emerged on Friday, October 25, and a team of "expert forensic investigators" was appointed to determine what had happened.
On Wednesday, October 30, it emerged that a breach may have occured and it contacted the Data Protection Commissioner (DPC) two days later.
"Loyaltybuild's notification was precautionary as Loyaltybuild had no, and indeed still has no, evidence to show that personal data has been compromised," it said.
A spokesman for the Data Protection Commission said its systems were encrypted, and it was not clear how much information had been taken.
"It is still to be determined what information the attacker was able to gain access to," they said.
"The systems were encrypted, including credit card and contact numbers. They (LoyaltyBuild) took the step of notifying individuals just in case.
"The main thing is people should monitor credit card use on their accounts or take measures to alter their details like PIN numbers, or seek advice from their credit card provider. The company may have taken measures to seek advice from credit card advisers to flag certain accounts.
"It's a priority for them to get to the bottom of finding out the extent to which any information has been compromised. It may take a few days and we'll be in contact with them."
It is understood it may take up to 15 days to determine how much information was taken.
Axa and Super Valu, which had the largest numbers of customers at the centre of the attack, said it was in contact with LoyaltyBuild on a daily basis.
Axa began emailing its customers yesterday, and plans to send follow-up letters.
"We don't have any information as to whether there has been a data breach," a spokesman said. "Customers will be worried, but they will have protection against fraudulent activity on their cards."
Loyaltybuild manage and operate AXA Leisure Breaks on behalf of AXA Ireland, which gives customers a special rate on hotel and self-catering breaks.
"To minimise risk, Loyaltybuild operate a policy whereby they maintain as little personal information as possible. Credit Card numbers are encrypted and they deliberately do not store CVV numbers," the AXA spokesman added.
He said the issue was only related to AXA Leisure Breaks, and not other websites operated by the company.
Stena Line added that it had worked on a "small scale, tactical hotel promotion" with Loyaltybuild, which had finished.
Concerned customers should call Stena on 01 2047 777, with helplines also in place for Axa on 0818 300 189 and Super Valu on 0818 220 088.