Nothing more to say but
Big Horror!
A hack attack against an Irish loyalty programme firm, Loyaltybuild, has led to the theft of the full credit card details of at least 376,000 consumers, says the country's data protection watchdog. According to the results of a preliminary investigation by the Office of the Data Protection Commissioner (ODPC), credit card and …
..... statement.
"working around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers"
If you valued your customers then you wouldn't store information about them that you aren't supposed to. Also in reference to the term 'security experts' you have spelled muppets incorrectly.
Why does there not seem to be a full list of the schemes that Loyaltybuild were responsible for? A couple of company names have been given, but how are people expected to know if they are affected without a definitive list of the schemes?
I'm pretty sure that this will be the first that 99% of the people on the schemes have heard of 'Loyaltybuild'.
You could do worse than starting at http://www.loyaltybuild.com/impact/see-what-our-partners-say.html and asking their PR people some pointed questions.....
It's worth noting that some of those partners are in countries which take data breaches of this kind very seriously (Switzerland, Norway and Sweden)
In case the "partners" suddenly opt not to be displayed anymore.
SuperValu Ireland
Coop MedMera HotelPremie Programme, Sweden
Coop Norway
AXA Insurance Ireland
ESB Customer Supply (Ireland)
Coop Switzerland
That sound you hear is chansaws revving up to pull down the barn now that the horses are gone.
Given the introduction of the various PIN security devices by the banks surely it is just a small step to go to the next level and use these devices to create a "credit card number" that is formed by the encrypting of the customers actual credit card details and the merchant's code. Hence the retained card details are only valid when that particular merchant presents them...
I did use to work with a credit card processing system from Commidea which stored all the credit card details (except the CVV, this was about 10 years ago, so CVV wasn't in wide use then) in plain text. It would then upload the transaction details via FTP (not SFTP) over it's own private ISDN line.
One of my jobs was to pop into the server room in the morning, open up the processing software, and print out the last days transactions, so our accounts team could verify they'd all gone through correctly. Of course, the full card number and expiry date were on the print out.
Funnily enough Commidea pulled the product after a while.
I doubt it took that long. These are just the first to be outed. And I very much doubt there's any particular ie angle here - many British and US firms are equally incompetent, and overseen by equally toothless regulators. The only ie specifics might be that the regulator is more likely to be related to the guilty in Ireland.
..."(we) create, manage and deliver innovative customer loyalty programmes to help build businesses and brands".. But we're always on the look out for new business models where we can reward our loyal customers with sneaky charges and fees on their credit cards... Why else would we have all their details down to CCV?
"It is not known why the loyalty card scheme was retaining customers' credit card payment data".... And there it is folks. Anyone going to jail over this? Slap on the wrist? A minute fine?... Nada! Probably because our DPC is just a puppet for corporations who only come here for tax-haven status...
...