[German]It seems, that the data leak at the credit card company Mastercard reported on Monday is bigger than expected. In the meantime, a file containing credit card data has appeared.
What happened on Monday?
Some time ago, a CSV file containing the data of around 90,000 users of the Mastercard Priceless Specials bonus program appeared on the Internet. The file contains the first name and surname, date of birth, e-mail address and often also the postal address and mobile phone numbers of the persons concerned. I reported about details within my German blog post Datenleck: Mastercard-Bonusprogramm Priceless Specials. Mastercard suspended access to the Priceless Specials bonus program. The German site shows the following message.
The (translated) message says :
Mastercard was alerted about a problem with our Priceless Specials platform. We take privacy very seriously and are working hard to investigate this issue.
As a precaution, we closed the specials platform immediately.
This problem has no effect whatsoever and is not related to Mastercard’s payment network. firstname.lastname@example.org
That was the knowledge so far – a bad incident for Mastercard and a case for European GDPR.
New evidence of a major data leak
Shortly after I’ve published the German blog post, blog reader Eduard reported within a comment that he suspected a major data leak. The reader wrote:
But there seems to be another data leak with Mastercard. I myself am affected: Apparently data for Mastercard debit cards was fished off and used for debits. These cards were not released for the bonus program. In my case, they were used to make payments in Brazil. Meanwhile, all Mastercard debit cards issued by my bank are blocked.
I only learned about this incident yesterday, after I contacted my bank about incorrect debits from my account.
I found also this post within the German heise forum, where another user reported, that a 2nd file has been made it’s way into forums. This file contains 84,000 data records with complete credit card data. The poster reports that its bank is blocking the cards – exactly what is reported in the comment above. German magazine heise has published another article, dealing with this 2nd file with the complete credit card numbers.
— heise Security (@heisec) August 21, 2019
A copy of the second file with 84,000 data records containing the complete credit card numbers of the persons concerned was sent to the editors of heise. heise writes that additional information such as cardholder, expiration date or CVC is missing in the file, but stresses that the author may be in possession of this data. The authenticity of the second leak has not been clarified.
German Manager Magazine also writes in this article that the data leak is bigger than expected. It reports that Internet entrepreneur David Schirrmacher took part in the Priceless Special bonus program. Schirrmacher is affected by the data leak himself and gave Manager Magazin an insight into his data. His credit card number is included in the file.
Complaints to Hessian data protection officer
The incident is likely to be explosive for Mastercard. On the one hand, the company will probably be faced with claims for damages in the event of misuse. But even without misuse, the Data Protection Ordinance (DSGVO), which strictly regulates the collection of personal data and its collection, applies. The leak has resulted in the loss of personal data, which puts the data protector on the map. According to Manager-Magazin, there are 35 complaints to the Hessian data protection officer by Wednesday morning
Complaints about irregularities since weeks
Within the forum from heise I had stumbled upon this thread on Monday, which didn’t make sense to me at that time. A poster wrote:
Data problem already reported at the end of June
If you have the list, you can search for MyDealz employees – one user has created more than 50 accounts with Priceless Specials. If you now consider that MyDealzde was the focus of Priceless Special marketing, and what trouble there had been with the TUI vouchers and the data problems reported to MyDealzde at the end of June before, it becomes clear what could have been the motivation for the “leak”. Last data records from June…
To cryptic for me, but I can read: There has been already trouble with TUI vouchers and the MyDealz platform reported data protection issues at the end of June. The article in Manager magazine points out that online forums have been reporting irregularities for weeks. Many customers had registered with Priceless Specials to benefit from discounts offered by companies such as Sixt, Tui or Jochen Schweizer. However, a number of customers noticed that the vouchers had been used by third parties or had already been invalidated by the redemption attempt. At the end of June 2019, non-personalized premium vouchers appeared on promotional platforms such as eBay at a discount.
Mastercard accuses third party providers
Both Manager-Magazin and heise point out in their articles, referring to a company spokeswoman, that Mastercard blames a “third party” for the leak. Manager magazine states that the record contains the names of employees of an agency offering IT solutions. However, this is all unconfirmed. German consumer protectors offices advise people who were registered with Mastercard’s Priceless Specials bonus program and entered their credit card details there to have the card blocked. The question remains as to what else will come to light. Is only the German Priceless Specials bonus programme affected, or will it also affect other countries? There is still nothing to be found on the French bonus program page. It’s definitely an ugly story.