Loyalty scheme company LoyaltyBuild has confirmed that it has been the victim of a sophisticated criminal attack.
After it was widely reported that more than 1.5 million people were known to have had personal information compromised by the security breach, the Irish company said that it was “working around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers”.
It said: “From the moment we first detected a suspected security breach on Friday, October 25th we immediately engaged the services of an expert forensics security team and have worked tirelessly to try to rectify this situation.
“As the safety of our customer data is of utmost importance to us we immediately informed our clients of this new development so they could put their own processes in place to inform customers of any potential compromise to their data.
“Unfortunately, the threat of cyber-attacks is increasingly becoming a reality of doing business today and LoyaltyBuild would like to sincerely apologise for any distress or inconvenience caused.”
Check Point’s UK technical director Tom Davison pointed out that this breach is far more extensive than originally thought, and warned users to be wary of links in emails which claim to be from LoyaltyBuild or its affiliates, no matter how authentic they seem to be. “There’s a very real risk that attackers will use the details exposed in the attack to send phishing emails to users, to try and harvest more sensitive data,” he said.
“Attacks against companies with the aim of stealing customer data are still a real threat. We recently surveyed over 2,600 C-level and IT staff at firms globally, and found they reported an average of 68 new security attack attempts per week, with data theft as the main objective. This is one of the biggest breaches in recent years, showing the problem isn’t going away.”
Paul Ayers, VP EMEA at Vormetric, said: “Hacking attacks are becoming much more focused on securing a worthwhile payload – that is to say sensitive customer data that can be used for fraudulent purposes. In this instance it is unclear as to how those behind the attack got in, but it shows that any company that holds personal information that could potentially be exploited is likely to find themselves in the sights of cyber criminals.
“This is particularly true of credit card data and fortunately, standards exist to regulate the processing of such sensitive information – though whether enough organisations give these the attention they deserve, remains to be seen.
“It’s very important for businesses to continuously monitor their networks for suspicious activity in order to identify and neutralise attacks at the earliest possible stage – ideally, before any data is stolen. Every organisation will have some measure of IT security in place, yet we continue to see breaches. Traditional IT security measures simply don’t provide effective defence for data which needs to be protected at source – giving security from the inside out.”
Mark Bower, vice president of product management at Voltage Security, pointed out that the company is not displaying compliance with the PCI standard, and called it “inexcusable in this day and age”.
He said: “The three digit codes (CVV code) from credit cards should never be stored, even encrypted. Per PCI DSS, there are no exceptions to this rule. Why was it ignored here? There’s no need for it in a loyalty application whatsoever.
“Given the ease of protecting data these days, there’s no excuse for this large scale breach, especially as cardholder data w
ith three digit codes is exactly what attackers find most attractive as it’s immediately convertible to fraudulent goods purchases online including purchase money vouchers – converting stolen card details to cash.”