Irish data protection commissioner warns credit card details of up to 500,000 people compromised in Loyaltybuild security breach

Data protection commissioner Billy Hawkes warned that the criminals involved could have the information needed to use the credit cards of people affected by the data breach.

“We were told about the original issue last week, last Monday, but we were updated and told the situation was more serious because we now know the criminals involved have all the information needed to use the credit cards of the people concerned to make purchases,” he told RTÉ’s Morning Ireland on Tuesday.

“Breaches are getting larger and happening more often – recent examples being Loyaltybuild, Adobe and Vodafone to name a few,” said Eric Chiu, president and co-founder of HyTrust, the cloud infrastructure control company, following the news.

“Historically, organisations have utilised 'outside-in' security models, focusing on perimeter-based security while ignoring security around access to systems from the inside. According to Forrester, most breaches involve insider threats; therefore, companies need to shift their thinking to an 'inside-out' model and assume the bad guys are already on the network.

“Companies are obligated to protect private customer data, intellectual property and regulated information. Organisations should secure the data itself through automated encryption as well as control administrator access to systems containing sensitive data by implementing fine-grained access controls and role-based monitoring.

He added: “This is the only way to prevent potential breaches and data centre disasters, especially in virtualization and cloud environments where the risk is ten times greater.”

“It’s unclear why Loyaltybuild stored the compromised credit card information in the first place,” added Gene Meltser, technical director for Neohapsis Labs, the research arm of security and risk management consulting company specialising in mobile and cloud security services, Neohapsis.

“In general, loyalty based programs function by rewarding users for specific purchasing activity, and to do that, loyalty rewards programs only need to correlate a member’s account information, such as a name, to purchasing activity records related to the reward in question.

“In an overwhelming majority of cases, it is unnecessary to store detailed credit card data, and in absolutely all cases it is prohibited to store the 3 or 4 digit codes, or CVV values off the credit card. To store this data unencrypted would not only be fundamentally prohibited under PCI-DSS requirements, but also demonstrating considerable negligence in protecting customer and payment data.”

Erik Bataller, principal security consultant at Neohapsis said the breach was “particularly painful”.

“CVV data makes this breach particularly painful and difficult because it is often a secondary mechanism used to ensure the physical card is in the hands of the customer making the order,” he explained.

“Organizations are explicitly prohibited from storing the CVV to prevent this type of risk and exposure. Generally, the storage of cardholder data is a common practice that places organizations and their customers at significant risk. Most organisations should be aggressively considering or implementing solutions that allow them to avoid ever being directly in contact with a credit card number/PAN and CVV.

He added: “Some service providers and processors can provide the capability for merchants and other service providers to transparently store, process and transmit the actual cardholder data on their behalf with solutions such as tokenization and transparent redirection. In today’s threat landscape, it is often prudent for many merchants to transfer the associated costs and risks of PCI compliance and credit card processing to other organisations.”