Last week Ireland’s Office of the Data Protection Commissioner (ODPC) reported that loyalty marketing company, Loyaltybuild had been hit with a major data breach. The breach, affecting at least 1.2 million customers, resulted in loss of customer names, addresses, phone numbers and email addresses in addition to 376,000 credit card numbers (CCN).
In statement on their website, Loyaltybuild wrote:
"We have ceased taking bookings on our website and over the phone"
According to their website, Loyaltybuild was established in 1999 and is “backed by sophisticated web, booking engine and database technologies, designed for large-scale campaigns in one or more languages.”
Unfortunately, Loyaltybuild was also storing unencrypted sensitive information, and too much of it at that. As if CCN data is not enough, CVV numbers (PCI-DSS requirements prohibit the storage of these) were also compromised. There is very little reason for Loyaltybuild to hold CCN information (especially unencrypted) and no reason to store CVV numbers.
Let’s talk about the numbers: hundreds of thousands of credit card records and more than a million records of additional information (email, addresses, etc.) is a lot to exfiltrate. Data monitoring should have alerted to such a large number of records being read or moved - especially when it was moved outside of the organization.
According to reports, some of the data was historical (from 2011 - 2012). Historical records - that are less frequently accessed - should have raised an even bigger flag.
As 'sophisticated' as this breach might prove to be, a simple monitoring of data records could have alerted security personal and might have prevented this breach. Most would agree that copying a million records is worth opening a ticket to IT Security team.
Another recent security event, the MongoHQ breach, revealed the dangers of attacks on service providers: ‘hack one hack them all.’ The service provider is not the only one on the receiving end of these attacks - their customers are as well.
After the MongoHQ breach we advised that customers take responsibility for their sensitive data and know how their business partners are securing it. In the Loyaltybuild case, customers agreed to share too much, in plaintext, with no guarantees. When using third party services businesses should share the bare minimum of information with their partners. This is particularly true of sensitive information.
In both cases, simple encryption of the sensitive data might have minimized the fallout. Moreover, in both cases customers were way too trusting with their service provider. Whether a cloud-based startup or an established business like Loyaltybuild, customers need to protect themselves and not assume their service providers will do the job for them.
Security is based on trust; however, given these recent breaches, trust is increasingly difficult to come by.