Mastercard Reports Data Breach to German and Belgian DPAs

By Sergiu Gatlan

Mastercard disclosed a data breach to the German and Belgian Data Protection Authorities (DPA) involving customer data from the company's Priceless Specials loyalty program.

The data was made available on the Internet, with customers' names, payment card numbers, email addresses, home addresses, phone numbers, gender, and dates of birth being included in the leaked info.

Mastercard says that "the incident is limited to the Specials program" and that the only payment card information leaked were the numbers of payment cards.

After the data leak was discovered, Mastercard suspended the German Priceless Specials and took down its website, leaving up only a message saying that "This issue has no connection to MasterCard's payment network."

specials.mastercard.de message

"We have received a lot of questions and complaints since the announcement of this incident, we want to reassure users: we have contacted MasterCard in order to get additional information, and are following this case closely together with the Hessian data protection authority and all the other possible concerned authorities," says David Stevens, Chairman of the Belgian Data Protection Authority.

Breach discovered after data was leaked

The breach was discovered after the loyalty program data was released on the Internet on August 19 says Mastercard.

"Thereafter, we acted promptly to remove the published personal information and to protect the interests of the affected users," adds the company.

"On August 21, 2019, we became aware that a second file of personal information was published on the Internet. We are working to remove them as well."

Heise Media reported that it saw the Excel spreadsheets containing lists of roughly 90,000 and 84,000 rows that were distributed on the internet after Mastercard's Priceless Specials loyalty program was breached.

According to Mastercard account passwords and card info such as card security codes and expiration dates were not published:

Based on the facts known at this time, the following personal information is affected: payment card number, title, name, date of birth, gender, mailing address, e-mail address and telephone number and the time of first registration with Priceless Specials. Neither access data nor passwords were published. The expiration date of payment cards and the check digit (CVC) were also not published.

Mastercard started an investigation immediately after learning of the data leak and requested all sites where the info was hosted to also delete the personal information belonging to its Priceless Specials customers.

Free credit monitoring for affected clients

The company is also actively monitoring whether the personal info of its clients is posted on other Internet servers with the intention to immediately remove it.

We are working closely with the relevant authorities to investigate this incident," adds Mastecard also stating that they are "currently reviewing our security safeguards to protect this information to identify appropriate improvements to protect against similar incidents in the future."

All potentially impacted clients have been informaed about their info being leaked in the incident as Mastercard confirmed to the Belgian DPA.

The company also adds that free credit monitoring and identity theft prevention is also offered to affected users:

We offer all potentially affected users a one-year free credit monitoring and identity theft prevention service, even if their data were not specifically affected by the incident. As always, we encourage cardholders to review their monthly statements and inform their card issuing institution of any charges that they are unaware of or that may be suspicious.

BleepingComputer has reached out to Mastecard to ask for the number of costumers impacted by this incident but had not heard back at the time of this publication.