SuperValu warns customers of data breach (update 4 with numbers, Stena Line, other countries also affected, statement from Loyaltybuild)

Conor Pope reports:

SuperValu has been forced to contact thousands of customers who have bought its “getaway breaks” after a security breach at the company that oversees the scheme left sensitive financial data potentially compromised.

The “getaway breaks” vouchers are a key loyalty reward programme run by the US-owned company Loyaltybuild, which is based in Co Clare. It is reviewing the security of the personal and payment card information held on its booking system.

“This review is necessary as Loyaltybuild has advised its client base in Ireland that its system may have been compromised by a third party,” said SuperValu in a statement.

“This issue is exclusive to ‘Getaway Breaks’. It does not impact SuperValu’s other websites or any other customer transactions by payment card,” a spokesman said.

Read more on Irish Times.  The SuperValu.ie  site currently has this notice on its “Getaway Breaks” page:

We are experiencing technical issues and we are hard at work to bring SuperValu Getaway Breaks and Bonus Rewards back online. Thank you for your patience, we apologise for any inconvenience caused.

I hate when sites suggest they are down for “maintenance” or a “technical” problem when they know they’re looking into a security breach. But then, I guess under Ireland’s laws, they don’t have to post anything on their web site about this, and reportedly, the data were encrypted and they have no evidence of acquisition or misuse. So….

Update 1: Today’s RTÉ reports that more than 30,000 customers were affected by this breach. They report that another Loyaltybuild client, Axa, also had customers affected (approximately 4,000).

Update 2: And now it’s more than 140,000  who have personal and payment card info at risk, including 40,000 Irish customers of Supervalu, Axa, and Stena Line, and 100,000 consumers in Norway, Italy, and Sweden.

Loyaltybuild posted the following statement on their site yesterday:

On Friday 25th October our data security team identified a suspected system breach.  From the moment Loyaltybuild discovered the breach we took immediate action to rectify the situation and protect stored data.

We immediately engaged the services of a firm of leading, international, online security experts.  They are conducting a forensic investigation to help us identify whether any of our stored data was compromised, and, if so, to what extent.  As of 1pm today the forensics team reported there had been no signs of person or payment databeing extracted or compromised, but the forensic examination is ongoing. The Irish Data Protection Commissioner and all affected clients have been informed of the suspected breach.

Unfortunately, the threat of cyber-attacks is increasingly becoming a reality of doing business today. To this end, we employ systems which operate to the highest level of encryption and security standards and we constantly monitor and test our systems.

To minimise risk we operate a policy of maintaining as little personal information as possible; credit card numbers are encrypted and we deliberately do not store CVV numbers – the card verification value – which is a 3 digit number found on the back of a credit / debit card. All payment details are deleted 90 days after a consumer has travelled.

We are working around the clock with our security experts to get to the bottom of this and to further enhance our security.

As soon as we have more information from the forensics team we will publish an update.

We regret any inconvenience caused and are taking every necessary action to rectify this issue.

For customer queries please call the Loyaltybuild Helpline on 065 686 5200. The helpline is open Monday to Sunday from 9am to 8pm.

Update 3: SuperValu has revised its estimate upwards to report that 62,500 of their customers may have been affected.

Update 4: Now the total number across EU is estimated at 500,000