Supervalu Getaway Breaks/Loyaltybuild Payment Information Compromised

vicwatson

Anyone get an email as follows -

Dear XXXXXXXXXXXXXXXX

We are contacting you to advise you that Loyaltybuild, who manage the Getaway Breaks programme on behalf of SuperValu, is reviewing the security of the personal and payment card information you provided to them when making a recent booking.

Please note this issue is exclusive to Getaway Breaks. It does not impact SuperValu's other online websites or any other customer transactions by payment card. Getaway Breaks is the only element of our business operated by Loyaltybuild.

This review is taking place as Loyaltybuild has advised us that their system may have been compromised by a third party.

The protection of your information is an absolute priority for us at all times and as yet there is no information to suggest that any data has been obtained.

However, as a precautionary measure, we advise you to review your account and should you suspect any unusual activity on your payment card, we recommend that you immediately contact your bank or financial institution.

Please treat any unsolicited communication you may receive relating to this issue claiming to represent SuperValu Getaway Breaks or Loyaltybuild with caution.

Please be reassured by the fact that all credit card information held by Loyaltybuild is encrypted and they are taking all the reasonable actions to inform the relevant financial institutions of this issue.

We apologise for any unnecessary concern that this notification may create. However it is SuperValu's priority at all times to put our customers first and do all in our power to act in your best interests.

The Getaway Breaks booking system has been temporarily suspended, pending a thorough investigation of the Loyaltybuild system. Loyaltybuild is continuing to resolve this issue internally and with the Data Protection Commissioner. We will update you on any relevant information as it becomes available. Please note all Getaway Break bookings made to date have been processed and completed.

If you have any immediate queries, please contact the customer helpline at 0818 220 088 with any concerns which you may have.

Sincerely,

[FONT=Arial, Helvetica, sans-serif][/FONT]
Director
SuperValu

And they provide a PREMIUM RATE NUMBER (from a mobile anyway) :mad:

And they haven't bothered to provide dates as to when they were compromised and dates for when potential booking cards are at risk :mad:

Anyone got any more information on this?

Skid X

Article about it here, although there isn't much information

http://www.irishtimes.com/news/consumer/numbers-hit-by-rewards-scheme-security-breach-now-over-40-000-1.1584554

More than 40,000 people in Ireland are now known to have had their financial details potentially compromised after an electronic security breach at a company which oversees rewards schemes run by Supervalu, Axa Insurance and Stena Line.

39,000 Supervalu customers who bought its “getaway breaks” have been exposed while a further 4,000 people who were part of the insurance company’s loyalty reward programme which is also run by the Clare-based US-owned company Loyaltybuild have been affected.

dudara

Moved to Information Security

dudara

Jayop

Thanks for posting. I didn't get the letter, but we've bought breaks a good few times so I'll be keeping a good eye on my account.

philthrill69

Is this the reason the getaway breaks website is down for the last two weeks? http://www.supervalugetawaybreaks.com/

osullc10

I just got this email from Supervalu. I am presuming that a database administered by Loyaltybuild, which contained payment card data of Supervalu customers, was compromised. Does anybody know if the hackers got access to the actual numbers on the payment cards, or if they just got hashes of the card data? (Is that even how payment card data is stored?) The Irish Times article linked above indicates that the data was encrypted, but I'd like if Supervalu or somebody clarified this.

allthedoyles

News has just come through tonight that it is now a high risk that the system has been compromised by a third-party .

jo1978

I got an email from them at 10pm this evening to say they have only just discovered I cud be affected!!!! Im fuming how did they only realise now

jo1978

http://www.databreaches.net/supervalu-warns-customers-of-data-breach/

vicwatson

And they provide a PREMIUM RATE NUMBER (from a mobile anyway) to contact them !!!!!!! :mad::mad::mad:

I emailed them last week 5th November to ask for the dates for the period that was affected - NO REPLY.

Anyone notice the following from the email tonight -

At the moment this appears to also relate to bookings between January 2011 and February 2012. We became aware of this today from Loyaltybuild who manage and operate the SuperValu Getaway Breaks programme

Key word is ALSO

From the Indo website the statement clearly states the following -

“Based on this latest information from Loyalty Build, SuperValu are tonight contacting Getaway Breaks customers that there is a high risk that an unauthorised third party accessed the details of payment cards used to pay for Getaway Breaks between January 2011 and February 2012,” the statement read.

It said that 62,500 customers who made bookings during this period have been told to contact their bank or financial institution as soon as possible.

http://www.independent.ie/business/irish/over-60000-supervalu-customers-may-have-had-payment-card-data-leaked-29745157.html

So what is it Supervalu/Loyaltybuild?

For bookings between this period ONLY or what ???

You see I had made some bookings during that period and last April 2013 there was fraudulent activity on my card and I had to have it replaced - does this mean that I am ok now that I have new card since April 2013 (though I made a new booking with new card for August) ???

vicwatson

jo1978 wrote: »

http://www.databreaches.net/supervalu-warns-customers-of-data-breach/

Found this number on that website -

For customer queries please call the Loyaltybuild Helpline on 065 686 5200. The helpline is open Monday to Sunday from 9am to 8pm.

vicwatson

That email from tonight -

As a follow on from our letter to you last week, we can confirm that there is a high risk that an unauthorised third party has had access to the details of the payment card you used to pay for a Getaway Break. At the moment this appears to also relate to bookings between January 2011 and February 2012. We became aware of this today from Loyaltybuild who manage and operate the SuperValu Getaway Breaks programme.

The protection of your information is an absolute priority for us and we are extremely concerned about the security of your card. Therefore, we recommend that you contact your bank or financial institution as soon as possible, and immediately check the transactions on your card for any suspicious activity. Please treat any unsolicited communication you may receive relating to this issue claiming to represent SuperValu Getaway Breaks or Loyaltybuild with extreme caution.

We apologise for the worry and inconvenience that this issue may cause. However, it is SuperValu's priority at all times to put our customers first and do all in our power to act in your best interests. We have communicated with you immediately following confirmation of this issue by Loyaltybuild to us.

This issue is exclusive to Getaway Breaks. It does not impact SuperValu's other websites or any other transactions made by payment card in store or online. The only breach of data security, which has arisen, was in data collected and held by Loyaltybuild.

The Getaway Breaks booking system is suspended until further notice, pending a thorough investigation of the Loyaltybuild system. Loyaltybuild is continuing to resolve this issue internally. The Data Protection Commissioner has been notified. We will update you on any relevant information as it becomes available. Please note all Getaway Break bookings made to date have been processed and completed.

If you have any queries, please contact the Republic of Ireland customer helpline at
0818 220 088 or the Northern Ireland customer helpline at 0870 178 2002 with any concerns you may have. The helpline will be opened from 9am tomorrow morning.

Sincerely,

Ray Kelly
Marketing Director
SuperValu

jo1978

The email I received says
'At the moment this appears to relate to bookings between January 2011 and February 2012. We became aware of this today from Loyaltybuild who manage and operate the SuperValu Getaway Breaks programme.'
So it cud affect other dates too.....

professore

I worked with some of the people in Loyaltybuild on a project a few years ago. Don't understand why they were storing credit card details in the first place - surprises me to be honest. Don't they know this is an invitation to be hacked? Might as well put an ad on the web saying you have a shed full of cash, here are the GPS coordinates, but you have faith in your extra strong padlock?

Dermot Illogical

http://www.newstalk.ie/Supervalu-security-breach-more-serious-than-thought

allthedoyles

I called into BOI today and they are going to issue a new card , due to this high risk .

Anyone know where I can get a claim form ?

shamrock55

If money had been taken from a cc would something show on the statement,or would money be dissapearing and not show anything on the statement

hmmm

Why have we not been told yet who the other clients were of this company? All we know is SuperValu, but there are a lot more than SuperValue customers affected.

hmmm

shamrock55 wrote: »

If money had been taken from a cc would something show on the statement,or would money be dissapearing and not show anything on the statement

It would be on the statement. I wouldn't worry about it, but just keep an eye on your statements. Cancel your card if you'd prefer.

To be honest, I'd say most of the world's credit cards have already been stolen by someone somewhere.

vicwatson

I made some bookings during the period Jan 2011 & Feb 2012 and last April 2013 there was fraudulent activity on my card and I had to have it replaced - does this mean that I am ok now that I have new card since April 2013 (though I made a new booking with new card for August) ???l

vicwatson

dudara wrote: »

Moved to Information Security

dudara

Is this not a consumer issue no?

Dermot Illogical

vicwatson wrote: »

I made some bookings during the period Jan 2011 & Feb 2012 and last April 2013 there was fraudulent activity on my card and I had to have it replaced - does this mean that I am ok now that I have new card since April 2013 (though I made a new booking with new card for August) ???l

You're probably caught up in it twice. Your new card should be considered compromised.

MadsL

vicwatson wrote: »

Anyone get an email as follows -



And they provide a PREMIUM RATE NUMBER (from a mobile anyway) :mad:

And they haven't bothered to provide dates as to when they were compromised and dates for when potential booking cards are at risk :mad:

Anyone got any more information on this?

Contact the Data Protection Commissioner if you are getting the run around.

http://www.dataprotection.ie/docs/Data-Breach-Handling/901.htm

vicwatson

Dermot Illogical wrote: »

You're probably caught up in it twice. Your new card should be considered compromised.

Why? how?

Do we know the full date period in which the cards that were used for bookings were compromised? I've had no fraudulent activity on my new card anyways..

Thanks

Dermot Illogical

vicwatson wrote: »

Why? how?

Do we know the full date period in which the cards that were used for bookings were compromised? I've had no fraudulent activity on my new card anyways..

Thanks

Jan 2011 - Oct 2013 is the time period.
To be honest I'd consider any data they've ever held compromised at this stage.

You've had no fraudulent activity on your new card...yet.

hmmm

vicwatson wrote: »

Do we know the full date period in which the cards that were used for bookings were compromised?

No. The information we've received has been incomplete and inconsistent. We've gone from 7,000 compromised to 70,000 to 100,000 to 400,000 to 1.5 million (per the Irish Times) in the space of 48 hours. FFS, just get a list of all the credit cards and start from there by informing people.

vicwatson

Dermot Illogical wrote: »

Jan 2011 - Oct 2013 is the time period.
To be honest I'd consider any data they've ever held compromised at this stage.

You've had no fraudulent activity on your new card...yet.

Is this because I made a new booking with my NEW credit card in the period Feb 2012 (albeit from April 2013) to now ?? and therefore fraudulent activity could still occur? Have I got that right?

vicwatson

hmmm wrote: »

No. The information we've received has been incomplete and inconsistent. We've gone from 7,000 compromised to 70,000 to 100,000 to 400,000 to 1.5 million (per the Irish Times) in the space of 48 hours. FFS, just get a list of all the credit cards and start from there by informing people.

100% agree

Either we are being given no information, wrong information or incomplete information.

IIRC Will Goodbody on RTE 9 news said that the dickheads that stole the information have the credit card holders address and phone number too - how ????

And

That people are advised to change their PIN number - why ??????

And as for Supervalu they've gone into hiding.

No correct direction or coordination from anywhere which is very worrying if this occured on a larger scale.

I take it the DPC will be asking why all these details along with the three digits on back of card were being stored by loyalty build?

allthedoyles

So anyone know what is the solution to this problem ?

Supervalu apologise - they advise to contact bank as soon as possible .

I called into bank today - they had no info on this and were more worried about the ATM skimming / scamming .

I took it upon myself to cancel my card and now have to wait 3-5 working days for new Visa Debit Card.

markpb

ninja900 wrote: »

According to this Irish Times article http://www.irishtimes.com/news/technology/number-hit-by-clare-cyber-attack-climbs-to-1-5-million-1.1592584 it appears that card numbers including CVV were stored unencrypted. This is strictly amateur hour stuff, I hope the DPC rides these guys sideways.

It won't be just DPC they have to worry about. Visa/MasterCard and their acquiring banks can issue massive fines over breaches like this and they'll probably have trouble finding a bank acquire for them in the future.

shamrock55

We used a cc for one of those super value breaks last year but i have never noticed any suspicious activity on my cards (yet)
if i ring the cc company and ask them to cancel my cc and issue a new one with new acc no and security no etc will they do this and will that sort this problem

vicwatson

allthedoyles wrote: »

So anyone know what is the solution to this problem ?

Supervalu apologise - they advise to contact bank as soon as possible .

I called into bank today - they had no info on this and were more worried about the ATM skimming / scamming .

I took it upon myself to cancel my card and now have to wait 3-5 working days for new Visa Debit Card.

I'd be surprised if you get new card within 3-5 working days.

vicwatson

shamrock55 wrote: »

We used a cc for one of those super value breaks last year but i have never noticed any suspicious activity on my cards (yet)
if i ring the cc company and ask them to cancel my cc and issue a new one with new acc no and security no etc will they do this and will that sort this problem

Yes and yes, but it might take some time to get new card

shamrock55

vicwatson wrote: »

Yes and yes, but it might take some time to get new card

Ok thanks

vicwatson

I spoke with loyaltybuild and was advised that if you made bookings with supervalu breaks from January 2011 to February 2012 that potential fraud on ones card can only occur from Oct 23th (or 25th?) 2013 onwards.

They said that fraud I had back in April 2013 was coincidental and must have been from a different source.

Anyone got updates on this?

theedude27

vicwatson wrote: »

I spoke with loyaltybuild and was advised that if you made bookings with supervalu breaks from January 2011 to February 2012 that potential fraud on ones card can only occur from Oct 23th (or 25th?) 2013 onwards.

They said that fraud I had back in April 2013 was coincidental and must have been from a different source.

Anyone got updates on this?

There is mention of a third party being involved in the security breach. I wonder if this third party was actually contracted to Loyalitybuild and if they are the source of the breach then they may well have sold on your sensitive data to other hackers via underground forums or even posted the information to the likes of pastebin.com (just for some kudos!!). I've seen this kind of thing happen before and it gets pretty nasty, literally anyone's financial details can end up on some mainstream or underground site:(

firemansam4

I also had fraudulent attempts carried out on my dc in November 2012, I could never figure out how my details got compromised as the only times I gave my details online was via paypal or axa leisure breaks, and i am normally very careful at ATM machines. seems to much of a coincidence that it wasn't related to this.

I have since had that card replaced in November 2012, I have used the axa leisure breaks since then on my new card so I wonder is my new card compromised now, although no sign of it yet. And so far they are saying the affected period is between January 2011 to February 2012 when bookings were made. I wonder will these dates change like all other details seem to have so far.

bren2001

My gf had fraudulant charges on her card earlier this year. We had used her card to book Supervalu Getaway breaks. I do find it a bit odd that there seems to be a fair few people (here and on other forums) where fraud has been committed on their card late last year early this year after using one of the lesiure breaks.

I got a new card there a few weeks ago as my old one stopped working. The card number stayed the same but everything else changed CVV, Expiry etc. I just rang the bank and cancelled my card and they are issuing one with a new card number. That would be my advice for everybody who is unsure.

It only takes a week for a new card. If there is any doubt, cancel and get a new one. Only takes a few days.

RangeR

There is a freephone number being advertised now, rather than the premium rate one - 1800 303 689

The Getaway Breaks booking system will remain off-line, pending a thorough investigation of the Loyaltybuild system. We apologise for any inconvenience this may cause and if you wish to speak to a customer service representative you can do so on
1800 303 689 (freephone).

SpaceTime

On a related topic, I was very concerned when I used my credit card in a major DIY retailer the other day as I didn't understand why the were swiping it through their till system and then inserting into a chip and pin terminal to get payment.

I don't like my card details being captured by a second device like that and I don't understand why they're gathering that kind of data. It didn't make a lot of sense to me.

Any idea why this is done?

There seems to be very few standards for how these things are done.

a_ominous

I did same as a few people here and ordered a new card, new number. Had same credit card for 20 odd years, so time for a change, methinks. I've bought several Supervalu deals, trips on Stena on-line. Why aren't the companies who do on-line transactions forced to use the like of Verified by Visa? I know there are people who would have bought breaks, trips over the phone so this won't work. But that's up to the credit card companies to fix.

Hotblack Desiato

SpaceTime wrote: »

I don't like my card details being captured by a second device like that and I don't understand why they're gathering that kind of data. It didn't make a lot of sense to me.

That happened to me in a petrol station a couple of months ago, about a week later several spurious transactions appeared. Of course, I can't prove anything :rolleyes:

GerardKeating

SpaceTime wrote: »

On a related topic, I was very concerned when I used my credit card in a major DIY retailer the other day as I didn't understand why the were swiping it through their till system and then inserting into a chip and pin terminal to get payment.

I don't like my card details being captured by a second device like that and I don't understand why they're gathering that kind of data. It didn't make a lot of sense to me.

Any idea why this is done?

There seems to be very few standards for how these things are done.

This two swipe approach (which is frowned upon by the card schemes) is typically done because the till system does not support Chip and pin, so they swipe first in the till, so that the accounts dept know how the transaction was paid for and then a second time to actually make the payment.

allthedoyles

You will have heard about the recent cybercrime attack on Loyaltybuild, who manage our Getaway Break scheme. SuperValu is contacting all of its customers to provide an update and to apologise for any inconvenience or worry this may have caused.

Firstly, this issue only affects those who have booked a Getaway Break. Therefore if you have never booked a Getaway Break this issue does not impact you in any way. In addition, we would like to clarify that payment by card for your grocery shopping in-store or online is not affected.

For those who have booked a Getaway Break in the past and whose payment details have been compromised we have already contacted you directly.

However, while the investigation continues we would also like to forewarn anyone who has booked a Getaway Break to be vigilant and assume your contact details may have been compromised. Therefore treat any unsolicited communication with caution.

We have suspended the Getaway Breaks programme until further notice, pending a thorough investigation of the Loyaltybuild system. Please note all Getaway Breaks bookings made to date have been processed and completed.

If you have any further queries, please contact the Getaway Breaks helpline in the Republic of Ireland at 1800 303 689 or in Northern Ireland at 0800 0390 910

This is email update from Supervalu

fortunekb

Hi guys,

I was wondering what appeared on your bank statement when money was taken out??

My grandad's said slimming juice or
Something ... Anyone have anything similar? Or
Something we should watch for.

Thanks

RangeR

fortunekb wrote: »

Hi guys,

I was wondering what appeared on your bank statement when money was taken out??

My grandad's said slimming juice or
Something ... Anyone have anything similar? Or
Something we should watch for.

Thanks

Seriously? I don't mean any disrespect but you watch out for anything you didn't purchase.

fortunekb

RangeR wrote: »

Seriously? I don't mean any disrespect but you watch out for anything you didn't purchase.

He didnt purchase that .

NIMAN

This hack or leak of personal data will probably be remembered when they try to launch their banking and credit card services next year.

SpaceTime

I honestly think it's time the credit card model was changed completely. It's a fundamentally flawed technology that relies far too much on trust.

At this stage consumers should be able to push payments to retailers without revealing vulnerable details that can be stolen. The technology is there and we all carry complex smartphones that could easily facilitate something far more secure than dumb credit cards.


The banking industry hasn't really done anything to prevent this kind of fraud. Everything they introduce retains the old broken system. Chip and Pin (retained the magstripe so cards can still be skimmed). Online verification schemes like Verified by Visa only protect the retailers using them from taking fake cards and they're not universal or compulsory so can't work to cut out fraud.

It's only going to get worse and worse with more spectacular hacks as the whole concept of giving some one basically uncontrolled access to debit your bank/credit account by handing over 16 digits and an expiry date is just so stupid that it makes no sense.

The banking industry obviously makes so much money it doesn't care about the losses.

The current system is as safe as putting your keys under the mat at the hall door.

I'm actually thinking of switching over to using virtual cards online like entropay or 3V vouchers. I no longer feel secure using my cards, particularly my debit card as it could result in my current account being cleared.

Hotblack Desiato

The current system isn't the problem here, it was failure to implement it.

SpaceTime

Well, that wouldn't explain the regular hacks, phishing, skimming and seemingly endless card fraud.

The system isn't fit for purpose and the cost of fraud is being absorbed by interest rates and fees rather than being eliminated technologically.

We've basically got a payment card duopoly and it isn't innovating fast enough.

If getting access to the card numbers was of no value to any criminal gang, then there wouldn't be any hacks in the first place. The system is fundamentally flawed and shouldn't be so vulnerable to data theft in the first place.

All that's going to happen is these kinds of attacks will rise and rise until the banks eventually reach a tipping point where they do something about it.