Data of 90K Mastercard Priceless Specials Members Shared Online

PCI DSS

A database comprising sensitive information of about 90,000 employees of the loyalty program of the German Mastercard “Priceless Specials” shared online following a violation found on 20 August was added to the Have I Been Pwned data breach page on 1 September.

The information were accessible on the internet following the violation and included customer names, card numbers, partial loan card information, IP addresses, email addresses, phone numbers, gender and birth dates in the leaked information.

Database dump to Have I Been Pwned added

Mastercard revealed the event of information leakage to DPA on 23 August and added the data breach site Have I Been Pwned to its own database on 1 September.

The database dump includes information on 89338 German Mastercard clients with “Priceless Specials” bonus program account, according to Have I Been Pwned, 46 percent of addresses which were already part of the earlier data base dumps.

Have I been notified immediately by Pwned to all affected customers of the violation and allows those without the alerts to check if their emails are part of the leak event themselves.

Mastercard Priceless Specials

Shut down the Priceless Specials loyalty program

Immediately after the data violation was learned, Mastercard began an inquiry, and asked all the locations where information was received from the client to remove all private information belonging to its Priceless Specials employees.

After the information leak was discovered, Mastercard also suspended the German bonus “Priceless Specials” program and took its website down and left a message saying: “This problem is not linked to the payment network of MasterCard.”

Mastercard’s Chief Communications Officer for Germany and Switzerland, Juliane Schmitz-Engels, informed that the infringement of a third-party third-party Specials German loyalty platform, “which meant that some data would be distributed illegally.”

At the time, Mastercard stated that “the incident was limited to the Specials program,” and that the payment card number was the only information leaking in the incident:

Based on the facts known at this time, the following personal information is affected: payment card number, title, name, date of birth, gender, mailing address, e-mail address and telephone number and the time of first registration with Priceless Specials. Neither access data nor passwords were published. The expiration date of payment cards and the check digit (CVC) were also not published.

What’s next for employees of Mastercard Priceless Specials?

Customers who wish to verify that their information has been exposed for this violation can enter their e-mail address in https:/haveibeenpwned.com/ to obtain a report if their information was discovered in any breaches added to their platform, including the Priceless Specials Mastercard.

Since the database dump has already been shared online via several websites, the account credentials of the program are most definitely used in future credential assaults.

Credential filling attacks enable attackers to use credentials from information leaks that arise from information breaches by multiple businesses to try and obtain access to accounts on other locations.

These attacks particularly work well to compromise the accounts of customers who use the same password on all or several web sites. Therefore, it is best to always use single passwords for all your internet accounts if your account is hacked after an infringement.

If you use your Priceless Specials Mastercard password with accounts on other websites, you should alter your password instantly in all locations which are also used. If you do not do so, you risk compromising those accounts as well in the case of future assaults.

Credit: Bleeping computers

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.