Vendor Breach Exposes Card Data, PIIEuropean Loyalty Company Attack Highlights Third-Party Risks
The breach of an Ireland-based loyalty marketing company, which authorities confirm exposed payment card data on more than 376,000 consumers plus other personally identifiable information about more than 1 million, illustrates, yet again, the privacy vulnerabilities third parties pose, experts say.
Ireland's Office of the Data Protection Commissioner says card details on another 150,000 consumers "were potentially compromised." For now, however, it's offering few specifics. On Nov. 11, the commissioner confirmed only that card details for 70,000 customers of SuperValu, an Ireland-based grocer and food distributor, and 8,000 customers of AXA Insurance Ireland were exposed. Both used Loyaltybuild for holiday loyalty marketing programs.
Additionally, some Electric Ireland customers who participated in a loyalty program run by the Electricity Supply Board in 2007 and 2008 also have been impacted by the breach, the commissioner noted. Loyaltybuild notified the utility that names, addresses, phone numbers, e-mail accounts and booking references for those customers may have been exposed, according to the commissioner's office. But financial or card transaction data is not believed to have been affected.
The commissioner has not yet identified what other companies' customers had their card details exposed, including those elsewhere in Europe, but says the investigation into the breach is ongoing.
Authorities are warning potentially affected consumers to review all credit and debit transactions conducted since mid-October to identify any suspicious or fraudulent activity.
"This really highlights one of the key themes we've been discussing lately, i.e., the importance for any entity with responsibility for card data to have strict oversight of its third-party providers who also handle that data," says Julie Conroy, a financial fraud expert and analyst with consultancy Aite. "While the breach happened at Loyaltybuild, unfortunately all the negative press and reputational damage will focus on SuperValu and AXA, who ultimately own the customer relationship."
Breach Discovered in October
The breached marketing firm, Loyaltybuild, currently or previously provided loyalty programs for SuperValu, AXA and a host of other international companies, according to Data Protection Commissioner.
Loyaltybuild first detected a suspected breach of its network on Oct. 25 and immediately initiated a forensics investigation, according to a Nov. 11 statement posted on its website. It determined that it had been the victim of a "sophisticated criminal attack" and notified the Data Protection Commissioner.
"As the safety of our customer data is of utmost importance to us, we immediately informed our clients of this new development so they could put their own processes in place to inform customers of any potential compromise to their data," Loyaltybuild states. "Unfortunately, the threat of cyber-attacks is increasingly becoming a reality of doing business today."
All those affected by the breach will be notified by the merchants through which they held accounts or conducted transactions, according to the Office of the Data Protection Commissioner. The office plans to make recommendations to Loyaltybuild about boosting security and that it plans to conduct a follow-up inspection.
None of the affected companies could be reached for comment about the breach.
Need for Indemnification Clauses
Alan Brill, senior managing director for security consultancy Kroll, says companies affected by the Loyaltybuild breach should use it as a catalyst for stronger third-party security due diligence. "Understanding the root-cause of this incident is vital, given the number of people and companies involved," he says.
"The evolution of how cyber-activities are managed makes for increasing use of third-parties operating through various "cloud" relationships," he explains.
This is why it's critical for organizations to ensure the contracts they have with third parties include breach notification and indemnification clauses, spelling out who will cover the costs of a breach, Brill says.
Businesses should raise security risk questions with legal counsel and their insurance managers when drafting contracts with third parties, he says. "This is particularly true where a third party may be in a country without the kind of breach protection and notification laws we're used to," Brill adds.
When breaches occur, consumers look to the brands with which they have relationships for protection and notification after a breach, Brill emphasizes.
"Ultimately, your customers are your customers and you can't abdicate the responsibility when something goes wrong, even if it's really an incident at a contractor, or even the contractor's contractor," he says.