Mastercard Reports Data Breach to German and Belgian DPAs

Master Card

Mastercard reported a data violation with client information of the loyalty program of Priceless Specials to the German and Belgian Data Protection Authorities (DPA).

The information was made accessible via the Internet and was included in the information leaked, including customer names, payment card numbers, e-mail addresses, home addresses, telephone numbers, sex and date of birth.

Mastercard claims that “the incident is restricted to Specials” and that only the number of payment cards has been leaked.

After the data leak was discovered, Mastercard suspended the German Priceless Specials and took down its website, leaving up only a message saying that “This issue has no connection to MasterCard’s payment network.”specials_mastercard_de message

“We have received a lot of questions and complaints since the announcement of this incident, we want to reassure users: we have contacted MasterCard in order to get additional information, and are following this case closely together with the Hessian data protection authority and all the other possible concerned authorities,” says David Stevens, Chairman of the Belgian Data Protection Authority.

Breach found after information was leaked On August 19, information on the loyalty program were published and the violation was found.

“We have subsequently acted quickly to remove the private data released and safeguard the interests of the customers in question,” added the firm.

“On 21 August 2019, we became aware of the publication in internet of a second personal information file. We are working to remove this too.” Heise Media reports that it has been seen in violation of the Priceless Special Loyalty program on Excel spreadsheet lists of approximately 90,000 and 84,000 rows distributed on the internet.

Passwords and card details such as card safety codes and expiration dates were not released according to Mastercard:

Based on the facts known at this time, the following personal information is affected: payment card number, title, name, date of birth, gender, mailing address, e-mail address and telephone number and the time of first registration with Priceless Specials. Neither access data nor passwords were published. The expiration date of payment cards and the check digit (CVC) were also not published.

Immediately after the data leak had been learnt, Mastercard began an inquiry and asked all locations where the information was hosted to delete private information from Priceless Specials ‘ clients.

Free tracking of credit for impacted customers

The company also monitors actively that the personal information of its customers is posted on other Internet servers with the aim of deleting it immediately.

“We are cooperating in close collaboration with the relevant officials to investigate this incident,” adds Mastercard, adding that “they are presently reviewing our safety guarantees for protecting this data in order to identify suitable changes in order to safeguard against comparable occurrences in the future.”

Free credit monitoring and the avoidance of identity theft are also provided to impacted customers:

We offer all potentially affected users a one-year free credit monitoring and identity theft prevention service, even if their data were not specifically affected by the incident. As always, we encourage cardholders to review their monthly statements and inform their card issuing institution of any charges that they are unaware of or that may be suspicious.

It reached Mastercard to request the amount of customers affected by the occurrence, but did not hear it when this paper was published.

Update August 23, 19:41 EDT:The following official declaration has been sent to BleepingComputer by Juliane Schmitz-Engels, Head of Communications for Germany and Switzerland:

We can confirm there was an event involving the Specials loyalty platform in Germany managed by a third-party vendor, which resulted in the unauthorized distribution of certain information. We take privacy and security extremely seriously and are taking every possible step to investigate and resolve the issue. This includes informing and supporting those cardholders affected and immediately suspending the Specials platform, among other actions. This issue has no connection to Mastercard’s payment transaction network.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.