Pierluigi Paganini August 24, 2019

Mastercard disclosed a data breach that impacted customer data from the company’s Priceless Specials loyalty program.

The American multinational financial services corporation notified the data breach to the German and Belgian Data Protection Authorities.

The data leaked online includes customers’ names, payment card numbers, email addresses, home addresses, phone numbers, gender, and dates of birth.

“The Belgian Data Protection Authority (DPA) as well as the Hessian authority of Germany have been notified by Mastercard company of a data breach detected on 19 August 2019 which would have affected a large number of data subjects, a significant portion of which would be German customers.” reads the press release published by the Belgian Data Protection Authority.“Since the main establishment of Mastercard is located in Waterloo, the Belgian DPA is working closely with its Hessian counterpart and the other competent authorities to defend the interests of the persons affected by this incident.“

Mastercard confirmed that “the incident is limited to the Specials program,” the company added that the only payment card data leaked online were the numbers of payment cards.

“Based on the facts known at this time, the following personal information is affected: payment card number, title, name, date of birth, gender, mailing address, e-mail address and telephone number and the time of first registration with Priceless Specials. Neither access data nor passwords were published. The expiration date of payment cards and the check digit (CVC) were also not published.” states MasterCard.

In response to the data leak, Mastercard suspended the German Priceless Specials and took down its website. The website displays the following message.

“We have received a lot of questions and complaints since the announcement of this incident, we want to reassure users: we have contacted MasterCard in order to get additional information, and are following this case closely together with the Hessian data protection authority and all the other possible concerned authorities.” said David Stevens, Chairman of the Belgian Data Protection Authority.

The data breach was discovered after the loyalty program data was leaked online on August 19. MasterCard immediately took action to remove the information, but on August 21, a second file was published online.

“On August 21, 2019, we became aware that a second file of personal information was published on the Internet. We are working to remove them as well.”

According to Heise Media, the Excel spreadsheets leaked online after Mastercard’s Priceless Specials loyalty program was breached were containing roughly 90,000 and 84,000 rows.

Mastercard immediately launched an investigation and informed authorities, it is also actively monitoring whether stolen info is posted online.

“We are working closely with the relevant authorities to investigate this incident,” adds Mastecard also stating that they are “currently reviewing our security safeguards to protect this information to identify appropriate improvements to protect against similar incidents in the future.”

Impacted customers have been notified about the data leak, MasterCard will offer them one-year free credit monitoring and identity theft prevention service.

Pierluigi Paganini

(SecurityAffairs – MasterCard, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]