Cyberattack on reward scheme company exposes credit card details for up to 376,000 European shoppers

Hackers have accessed full card details for at least 376,000 people in a cyberattack on a “reward scheme” company, Loyaltybuild – as well as phone numbers and addresses for more than a million others.

The company runs reward schemes including discounted holidays for supermarket chains across Europe, including the Irish chain SuperValu and insurance company AXA, according to Sky News.

The full scope of the attack only became apparent today, according to the Irish Times.

“Everything changed yesterday when Loyaltybuild contacted the Data Protection Commissioner  again to say financial details of more than 62,000 Supervalu customers and 8,000 Axa customers who had paid for breaks between January 2011 and February 2012 had been seriously compromised and could now be used by a third party to make purchases or – worse again – clone credit or debit cards,” wrote the paper’s Conor Pope.

Ireland’s Office of the Data Protection Commissioner confirmed that 70,000 Supervalu custommers had their full credit card details stolen in the breach, along with 376,000 others.

“The details of an additional 150,000 clients were potentially compromised,” the DPC said in its statement.

“The inspection team also confirmed that name, address, phone number and email address of 1.12m clients were also taken. The initial indications are that these breaches were an external criminal act.”

“The ODPC continues to warn customers to be vigilant in relation to their accounts and to report any suspicious transactions to their card company. Clients should also be vigilant in relation to suspicious communication of any kind which they receive.”

Loyaltybuild raised concerns about a breach on October 25, but the full extent of the attack has only emerged this week. The company described the breach as a “sophisticated criminal attack.”

“We are working around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers, who are of paramount importance to us,” the company said in a statement.

“Unfortunately, the threat of cyberattacks is increasingly becoming a reality of doing business today and Loyaltybuild would like to sincerely apologise for any distress or inconvenience caused.”

ESET and We Live Security offer advice on what to do if you are affected by a major site breach here.