Feeds

back to article Hackers steal 'FULL credit card details' of 376,000 people from Irish loyalty programme firm

A hack attack against an Irish loyalty programme firm, Loyaltybuild, has led to the theft of the full credit card details of at least 376,000 consumers, says the country's data protection watchdog. According to the results of a preliminary investigation by the Office of the Data Protection Commissioner (ODPC), credit card and – …

COMMENTS

This topic is closed for new posts.

Nothing more to say but

Big Horror!

0
0
Silver badge

Unbelievable

Surely this level of incompetence deserves a jail term, not just a fine. (I suspect payment of any fine will be a long time coming as their business collapses in short order.)

10
0
Bronze badge

Re: Unbelievable

This is Ireland.

There will be no jail-terms.

Jail terms are for little people.

The firm may even be bailed out.

The Irish authorities are fond of helping their own.

3
0
Silver badge

Mad

How can they claim it was clever Criminals?

1) Not supposed to save this info

2) Any stuff financial if has to be stored should be properly encrypted and not in web root and not accessible via database hacks from Web.

5
0
Bronze badge
Joke

Re: Mad

Perhaps the criminals hacked their systems to store this info.

2
1
Silver badge

Re: Mad

"How can they claim it was clever Criminals?"

By comparing them to company management should work.

5
0
Anonymous Coward

'Perhaps the criminals hacked their systems to store this info.'

Hilarious. Only in Ireland!

0
0
Anonymous Coward

Re: Mad

Clever Criminals or Stupid Business leaders...?

0
0
Silver badge

Since October ...

So when was their ability to take credit card payments revoked?

0
0
Anonymous Coward

Dear oh dear.

Rule number 1 of PCI - you don't store CVV data.

Rule number 2 of PCI - you don't store CVV data.

It isn't that difficult!

1
1
Silver badge

Re: Dear oh dear.

True, which rather suggests they weren't PCI-DSS compliant - unless they were taking payments by credit card, they would have no need to be. Still doesn't explain why they needed to hold this sensitive information, though.

0
0

Inside job?

I'm not sure that there is any other explanation for a company that big to violate such elementary security principles.

0
0

Re: Inside job?

Their IT manager previously worked at symantec, not sure if that instils confidence or not

ie.linkedin.com/pub/john-egan/5/632/73

1
0

parent company

The parent company appears to be based in Slough www.affinioninternational.com and regulated by the FSA, wonder will there be any fallout from this?

1
0
Silver badge
Headmaster

Re: parent company

The parent company appears to be based in Slough www.affinioninternational.com and regulated by the FSA, wonder will there be any fallout from this?

ITYM "FCA" - FSA is no more.

0
0
Silver badge

Re: parent company

They will receive a letter telling them that they are very naughty, and asking that they try not to do it again.

1
0
Anonymous Coward

"sophisticated criminal attack"

Given the alleged store-it-all-in-plaintext, I would not be surprised if db backups were unencrypted as well. And then left in the pub car park.

3
0
Bronze badge

I love this ....

..... statement.

"working around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers"

If you valued your customers then you wouldn't store information about them that you aren't supposed to. Also in reference to the term 'security experts' you have spelled muppets incorrectly.

12
0
Facepalm

Re: I love this ....

"working around the clock with our feckin eejits to get to the bottom of this and to further enhance our security in order to protect our valued customers"

There, fixed it for you

0
0

What are the Affected Schemes?

Why does there not seem to be a full list of the schemes that Loyaltybuild were responsible for? A couple of company names have been given, but how are people expected to know if they are affected without a definitive list of the schemes?

I'm pretty sure that this will be the first that 99% of the people on the schemes have heard of 'Loyaltybuild'.

2
0
Silver badge

Re: What are the Affected Schemes?

You could do worse than starting at http://www.loyaltybuild.com/impact/see-what-our-partners-say.html and asking their PR people some pointed questions.....

It's worth noting that some of those partners are in countries which take data breaches of this kind very seriously (Switzerland, Norway and Sweden)

In case the "partners" suddenly opt not to be displayed anymore.

SuperValu Ireland

Coop MedMera HotelPremie Programme, Sweden

Coop Norway

AXA Insurance Ireland

ESB Customer Supply (Ireland)

Coop Switzerland

That sound you hear is chansaws revving up to pull down the barn now that the horses are gone.

0
0
Silver badge
Trollface

Bah!

Difficult not to veer into politically incorrect stereotype land on this one.

0
0
Silver badge
WTF?

Out of interest ..

Why did a "loyalty card" scheme need credit card details ?

2
0
Bronze badge

Unique credit card per supplier?

Given the introduction of the various PIN security devices by the banks surely it is just a small step to go to the next level and use these devices to create a "credit card number" that is formed by the encrypting of the customers actual credit card details and the merchant's code. Hence the retained card details are only valid when that particular merchant presents them...

1
0
Silver badge
FAIL

Gis'us a job

May I be the first to apply for a job at LoyaltyCard, I think that all the management just got sacked and even I could do better than them.

My CV:

Management experience, none.

2
0
Bronze badge

I did use to work with a credit card processing system from Commidea which stored all the credit card details (except the CVV, this was about 10 years ago, so CVV wasn't in wide use then) in plain text. It would then upload the transaction details via FTP (not SFTP) over it's own private ISDN line.

One of my jobs was to pop into the server room in the morning, open up the processing software, and print out the last days transactions, so our accounts team could verify they'd all gone through correctly. Of course, the full card number and expiry date were on the print out.

Funnily enough Commidea pulled the product after a while.

0
0

Given that they apparently held CVV data (a big no-no) and held all the data unencrypted (another big no-no), may I suggest that they should be held liable for any loss sustained by holders of the affected cards?

5
0

Surprised, oh, no.

Only surprised that it's taken this long for such a slurp to take place in .ie land.

0
0
Silver badge

Re: Surprised, oh, no.

I doubt it took that long. These are just the first to be outed. And I very much doubt there's any particular ie angle here - many British and US firms are equally incompetent, and overseen by equally toothless regulators. The only ie specifics might be that the regulator is more likely to be related to the guilty in Ireland.

2
0
Anonymous Coward

'Loyaltybuild is an international loyalty marketing company'

..."(we) create, manage and deliver innovative customer loyalty programmes to help build businesses and brands".. But we're always on the look out for new business models where we can reward our loyal customers with sneaky charges and fees on their credit cards... Why else would we have all their details down to CCV?

0
0
Anonymous Coward

The key line...

"It is not known why the loyalty card scheme was retaining customers' credit card payment data".... And there it is folks. Anyone going to jail over this? Slap on the wrist? A minute fine?... Nada! Probably because our DPC is just a puppet for corporations who only come here for tax-haven status...

...

0
0
This topic is closed for new posts.