Thousands of customers at Supervalu are being warned their financial details may have been compromised as a result of a suspected security breach.
The issue only affects customers who availed of the “Getawaybreaks” scheme operated by Clare-based company LoyaltyBuild.
The loyalty-programme firm is currently reviewing personal and payment card information held in its booking system, following advice that its system may have been compromised by a third party.
According to a statement from Supervalu:
This issue is exclusive to Getawaybreaks. It does not impact SuperValu’s other websites or any other customer transactions by payment card. Getawaybreaks is the only element of our business operated by Loyaltybuild.
The protection of our customers’ information is an absolute priority for us at all times and as yet there is no information to suggest that any data has been obtained.
SuperValu is advising customers who have booked a break as part of the scheme to review their accounts and “report any unusual activity or unsolicited communication” relating to the booking to their financial institution.
Around 38,000 customers who booked through the Getawaybreaks scheme within the last three months are due to receive letters in the next few days informing them of the situation.
A spokesperson for Supervalu said that the scheme’s booking system would remain suspended while an investigation was carried out by Loyaltybuild, but said she didn’t envisage the incident having any impact on the supermarket chain’s continued business with the loyalty-programme company.
A statement from Loyaltybuild says that “immediate action” was taken to rectify the situation and protect stored data after its data security team discovered the breach on Friday 25 October:
“We immediately engaged the services of a firm of leading, international, online security experts.
“They are conducting a forensic investigation to help us identify whether any of our stored data was compromised, and, if so, to what extent.
“As of 12pm today the forensics team reported there had been no signs of person or payment data being extracted or compromised, but the forensic examination is ongoing.
Loyaltybuild says that in order to minimise risk it operates a policy of maintaining “as little personal information as possible”:
Credit card numbers are encrypted and we deliberately do not store CVV numbers – the card verification value – which is a 3 digit number found on the back of a credit / debit card.
All payment details are deleted 90 days after a consumer has travelled.
The latest update from the company, issued shortly before 4pm today, states that they are “working around the clock” with security experts to get to the bottom of the problem and that further progress reports will be issued as the situation develops.
The Data Protection Commissioner has been informed by the company of the potential security breach.
Meanwhile, SuperValu is reassuring customers that all Getawaybreak bookings made to date have been processed and completed. They’ve also set up a customer helpline, which can be reached at 0818 220 088.
Loyaltybuild also has a helpline to deal with queries relating to the incident; it’s open from 9am till 8pm and can be reached on 065 686 5200.