Mastercard Alerts German, Belgian DPAs Following Breach
A breach at the popular payment card vendor last week mostly involved data of Germans belonging to a loyalty program.
Both Germany and Belgium's data protection authorities (DPAs) are aware of last week's breach at payment card operator Mastercard. The incident, which occurred at a Mastercard loyalty program operated by a third-party service provider, affected the data of 90,000 Germans.
While the company discovered the breach last Monday, Bloomberg reported Monday that the data protection regulators had been informed and that a "large number of data subjects, a significant portion of which would be German customers," were impacted.
While the incident largely impacts German customers, the Mastercard Europe is headquartered in Waterloo, Belgium, a municipality south of Brussels, hence why the Belgian DPA is involved along with the Hessian data protection authority of Germany.
"We have received a lot of questions and complaints since the announcement of this incident, we want to reassure users: we have contacted MasterCard in order to get additional information, and are following this case closely together with the Hessian data protection authority and all the other possible concerned authorities," David Stevens, Chairman of the Belgian Data Protection Authority said last week.
Mastercard stressed last week that the incident didn't affect its payment card system and was confined to its loyalty program, Priceless Specials. According to the company, information like customers’ payment card numbers, title, name, dates of birth, genders, mailing addresses, e-mail addresses, telephone numbers, and the date they first registered with Priceless Specials, may have been affected as a result of the breach. The expiration date and the Card Verification Code, or CVC, of the payment cards were not leaked.
Mastercard also suspended the Priceless Specials loyalty program in Germany wake of the breach.
On Wednesday the company became aware of another issue, the fact that another file with user data from the loyalty program had been published online. Details are scant about the second incident but Mastercard insists its working to remove that data as well - according to the German DPA, its already done so.
What exactly lead to the breach in the first place – including the name of the third-party service provider - is unclear as well; Mastercard could only say that it was made aware that "personally identifiable information was available on a public website" and that it was still "working with authorities to further investigate the matter.”
Under GDPR, a mechanism known as the one-stop-shop enforcement can afford two data protection authorities, like Germany and Belgium, the ability to work together when data has an impact on citizens from different countries or a processor is established in one of more EU states. The mechanism makes it easier and more affordable for companies to do business in the EU. According to the law firm Weil Gotshal & Manges LLP, the first year of GDPR saw a total of 446 cross-border cases logged under European Data Protection Board's case register; 205 of these cases resulted in one-stop-shop procedures, 19 final outcomes were under the one stop-shop procedure.
While not all of the information around this particular incident is available, the breach helps illustrate the dangers of a supply chain, or third-party attack. While it sounds like Mastercard’s own system and transaction network was spared in the incident, Mastercard’s customers weren’t. Corporations and companies should ensure whenever possible that they can attain visibility around customer data managed by every party in a supply chain, including third-party vendors.