Mastercard’s not-so priceless data breach

Mastercard has built significant brand recognition around its “priceless” initiatives. Now it is getting recognition it might rather do without for a data breach involving cardholders in Germany who participated in the card brand’s “priceless specials” loyalty program. Mastercard revealed in filings with data protection agencies in Germany and Belgium that it discovered on Aug. 19 and again on Aug. 21, 2019, that data on German cardholders participating in the priceless program managed by a third-party had made its way onto the Internet “for a certain period of time.”

Mastercard, in an online notice to program participants, said it promptly removed the data from the Internet and informed those affected by the breach. The company said it will continue to monitor whether the information gets posted again, and if so, “we intend to have it removed.”

In a press statement, Mastercard said it shut down the priceless specials platform on Aug. 19 as soon as it discovered the first crop of data on the Internet. “This issue has no effect and is not related to Mastercard’s payment network,” the company added.

Information believed to have been stolen includes payment card numbers, names, dates of birth, gender, mailing and email addresses, telephone numbers and program membership start dates. “Neither access data nor passwords were published,” Mastercard said in its online notice. “The expiration date of payment cards and the check digit (CVV) were also not published.”

EU investigation underway

While affected cardholders all were German residents, Mastercard’s European headquarters is in Waterloo, Belgium, hence the notification given to Belgian authorities, according to a joint statement issued by the two data protection agencies.

The European Union enacted a strict new rule structure for protecting data amassed by businesses and the personal privacy of consumers. The new rule set, which took effect in May 2018 and is commonly referred to as GDPR (for General Data Protection Regulation), also streamlined compliance and investigations.

The GDPR provides a cooperation mechanism for national supervisory authorities, called the “one-stop-shop,” which is activated when a breach affects citizens in multiple EU countries or a covered entity does business in more than one EU member state. Under that mechanism just one data protection authority takes the lead in investigating data breaches, while supervisory authorities in other affected countries take part in the decision-making process.

In this instance, it appears the Belgium Data Protection Authority is taking the lead. “We have received a lot of questions and complaints since the announcement of this incident,” David Stevens, chairman of the Belgian DPA, said in a statement. “[W]e want to reassure users: we have contacted Mastercard in order to get additional information, and are following this case closely together with the {German] data protection authority and all other concerned authorities.”

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.