back to article Hackers steal 'FULL credit card details' of 376,000 people from Irish loyalty programme firm

A hack attack against an Irish loyalty programme firm, Loyaltybuild, has led to the theft of the full credit card details of at least 376,000 consumers, says the country's data protection watchdog. According to the results of a preliminary investigation by the Office of the Data Protection Commissioner (ODPC), credit card and …

COMMENTS

This topic is closed for new posts.
  1. Andrew Moore

    Nothing more to say but

    Big Horror!

  2. FartingHippo

    Unbelievable

    Surely this level of incompetence deserves a jail term, not just a fine. (I suspect payment of any fine will be a long time coming as their business collapses in short order.)

    1. deadlockvictim

      Re: Unbelievable

      This is Ireland.

      There will be no jail-terms.

      Jail terms are for little people.

      The firm may even be bailed out.

      The Irish authorities are fond of helping their own.

  3. Mage Silver badge

    Mad

    How can they claim it was clever Criminals?

    1) Not supposed to save this info

    2) Any stuff financial if has to be stored should be properly encrypted and not in web root and not accessible via database hacks from Web.

    1. Anonymous Coward
      Joke

      Re: Mad

      Perhaps the criminals hacked their systems to store this info.

      1. Anonymous Coward
        Anonymous Coward

        'Perhaps the criminals hacked their systems to store this info.'

        Hilarious. Only in Ireland!

    2. Tom 35

      Re: Mad

      "How can they claim it was clever Criminals?"

      By comparing them to company management should work.

    3. Anonymous Coward
      Anonymous Coward

      Re: Mad

      Clever Criminals or Stupid Business leaders...?

  4. John G Imrie

    Since October ...

    So when was their ability to take credit card payments revoked?

  5. Anonymous Coward
    Anonymous Coward

    Dear oh dear.

    Rule number 1 of PCI - you don't store CVV data.

    Rule number 2 of PCI - you don't store CVV data.

    It isn't that difficult!

    1. Chris Miller

      Re: Dear oh dear.

      True, which rather suggests they weren't PCI-DSS compliant - unless they were taking payments by credit card, they would have no need to be. Still doesn't explain why they needed to hold this sensitive information, though.

  6. Scott Terril

    Inside job?

    I'm not sure that there is any other explanation for a company that big to violate such elementary security principles.

    1. Caff

      Re: Inside job?

      Their IT manager previously worked at symantec, not sure if that instils confidence or not

      ie.linkedin.com/pub/john-egan/5/632/73

  7. Caff

    parent company

    The parent company appears to be based in Slough www.affinioninternational.com and regulated by the FSA, wonder will there be any fallout from this?

    1. JimmyPage Silver badge
      Headmaster

      Re: parent company

      The parent company appears to be based in Slough www.affinioninternational.com and regulated by the FSA, wonder will there be any fallout from this?

      ITYM "FCA" - FSA is no more.

    2. jonathanb Silver badge

      Re: parent company

      They will receive a letter telling them that they are very naughty, and asking that they try not to do it again.

  8. Anonymous Coward
    Anonymous Coward

    "sophisticated criminal attack"

    Given the alleged store-it-all-in-plaintext, I would not be surprised if db backups were unencrypted as well. And then left in the pub car park.

  9. Eradicate all BB entrants

    I love this ....

    ..... statement.

    "working around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers"

    If you valued your customers then you wouldn't store information about them that you aren't supposed to. Also in reference to the term 'security experts' you have spelled muppets incorrectly.

    1. edge_e
      Facepalm

      Re: I love this ....

      "working around the clock with our feckin eejits to get to the bottom of this and to further enhance our security in order to protect our valued customers"

      There, fixed it for you

  10. djack

    What are the Affected Schemes?

    Why does there not seem to be a full list of the schemes that Loyaltybuild were responsible for? A couple of company names have been given, but how are people expected to know if they are affected without a definitive list of the schemes?

    I'm pretty sure that this will be the first that 99% of the people on the schemes have heard of 'Loyaltybuild'.

    1. Alan Brown Silver badge

      Re: What are the Affected Schemes?

      You could do worse than starting at http://www.loyaltybuild.com/impact/see-what-our-partners-say.html and asking their PR people some pointed questions.....

      It's worth noting that some of those partners are in countries which take data breaches of this kind very seriously (Switzerland, Norway and Sweden)

      In case the "partners" suddenly opt not to be displayed anymore.

      SuperValu Ireland

      Coop MedMera HotelPremie Programme, Sweden

      Coop Norway

      AXA Insurance Ireland

      ESB Customer Supply (Ireland)

      Coop Switzerland

      That sound you hear is chansaws revving up to pull down the barn now that the horses are gone.

  11. Stevie
    Trollface

    Bah!

    Difficult not to veer into politically incorrect stereotype land on this one.

  12. JimmyPage Silver badge
    WTF?

    Out of interest ..

    Why did a "loyalty card" scheme need credit card details ?

  13. Roland6 Silver badge

    Unique credit card per supplier?

    Given the introduction of the various PIN security devices by the banks surely it is just a small step to go to the next level and use these devices to create a "credit card number" that is formed by the encrypting of the customers actual credit card details and the merchant's code. Hence the retained card details are only valid when that particular merchant presents them...

  14. Mystic Megabyte
    FAIL

    Gis'us a job

    May I be the first to apply for a job at LoyaltyCard, I think that all the management just got sacked and even I could do better than them.

    My CV:

    Management experience, none.

  15. phuzz Silver badge

    I did use to work with a credit card processing system from Commidea which stored all the credit card details (except the CVV, this was about 10 years ago, so CVV wasn't in wide use then) in plain text. It would then upload the transaction details via FTP (not SFTP) over it's own private ISDN line.

    One of my jobs was to pop into the server room in the morning, open up the processing software, and print out the last days transactions, so our accounts team could verify they'd all gone through correctly. Of course, the full card number and expiry date were on the print out.

    Funnily enough Commidea pulled the product after a while.

  16. Richard Pennington 1

    Given that they apparently held CVV data (a big no-no) and held all the data unencrypted (another big no-no), may I suggest that they should be held liable for any loss sustained by holders of the affected cards?

  17. Wanda Lust

    Surprised, oh, no.

    Only surprised that it's taken this long for such a slurp to take place in .ie land.

    1. Anonymous Coward
      Anonymous Coward

      Re: Surprised, oh, no.

      I doubt it took that long. These are just the first to be outed. And I very much doubt there's any particular ie angle here - many British and US firms are equally incompetent, and overseen by equally toothless regulators. The only ie specifics might be that the regulator is more likely to be related to the guilty in Ireland.

  18. Anonymous Coward
    Anonymous Coward

    'Loyaltybuild is an international loyalty marketing company'

    ..."(we) create, manage and deliver innovative customer loyalty programmes to help build businesses and brands".. But we're always on the look out for new business models where we can reward our loyal customers with sneaky charges and fees on their credit cards... Why else would we have all their details down to CCV?

  19. Anonymous Coward
    Anonymous Coward

    The key line...

    "It is not known why the loyalty card scheme was retaining customers' credit card payment data".... And there it is folks. Anyone going to jail over this? Slap on the wrist? A minute fine?... Nada! Probably because our DPC is just a puppet for corporations who only come here for tax-haven status...

    ...

This topic is closed for new posts.

Other stories you might like