Mastercard reveals data breaches in third-party loyalty program

A Mastercard spokesperson said the loyalty program, known as Priceless Specials and which was administered by a third-party firm, has been shut down since the company first became aware of the breach on Aug. 19.

The credit card company noticed customer data, including names, payment card numbers, e-mail addresses, home addresses, phone numbers, gender, and dates of birth, had been released on the internet “for a certain period of time.”

On Aug. 21, Mastercard became aware that a second file of personal information was published on the internet.

German media reports have suggested that 90,000 customers have been affected. The company spokesperson declined to comment.

As yet, there is no evidence of any customer suffering any form of financial loss as a result of the breach. The breach does not impact the company’s payments systems, and Mastercard is working with data regulators to resolve the issue quickly.

In a statement, the company said: “We can confirm there was an event involving the Specials loyalty platform in Germany managed by a third-party vendor, which resulted in the unauthorized distribution of certain information.”

“We take privacy and security extremely seriously and are taking every possible step to investigate and resolve the issue. This includes informing and supporting those cardholders affected and immediately suspending the Specials platform, among other actions. This issue has no connection to Mastercard’s payment transaction network.”

As the breach affects mostly German customers, Mastercard has notified the relevant German data regulator, the Hessian authority of Germany, as well as the Belgian Data Protection Authority (DPA), since Mastercard’s European headquarters are situated in Waterloo, Belgium.

In a statement, David Stevens, chairman of the Belgian DPA, said: “We have received a lot of questions and complaints since the announcement of this incident [and] we want to reassure users [that] we have contacted MasterCard in order to get additional information,” adding that “we are following this case closely together with the Hessian data protection authority and all the other possible concerned authorities.”

The European Union’s new General Data Protection Regulation (GDPR) provides for a cooperation mechanism between national supervisory authorities, called the “one-stop-shop” mechanism, which can be activated when the processing of personal data has an impact on citizens from various countries of the European Union or when a processor is established in more than one EU member state.

The mechanism stipulates that while only one data authority will act as the lead regulator for a processor established in the European Union, it does allow other EU supervisory authorities to participate in its decision-making process when it comes to handing out fines.

Separately, the Berlin Data Protection Authority has announced it will soon likely issue a “double-digit” million euros fine for GDPR violations. No further details regarding the company or nature of the violation have been disclosed.

Since the GDPR came into force in May 2018, Germany has emerged as the EU country with the highest number of fines so far.

For more information, please refer to the FAQ published on Mastercard’s Website.