It has been reported that a database containing sensitive information of about 90,000 German Mastercard “Priceless Specials” loyalty program members shared online following a breach discovered on August 20 was added to data breach site Have I Been Pwned on September 1. MasterCard has notified German and Belgium regulators of a data breach affecting customers of its ‘Priceless Specials’ loyalty programme after discovering it on the 19 August. The Belgian Data Protection Authority stated that customer data from the loyalty programme had appeared on the internet for “a certain period of time”.
Credit card data is some of the most sensitive data of all. If unprotected, fraud is easy to commit with stolen card account information. Therefore these kinds of breaches create a lot of stress on both the issuers’ side and on consumers. Even if Mastercard isn’t directly responsible as there seem to be third parties involved, the reputational damage is high. In addition to the direct costs of this breach, there might be a GDPR fine coming up.
It’s crucial to protect sensitive data and therefore data privacy over the entire data lifecycle – from the POS device to processing to backup. Implementing data-centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary, is the only way forward. One very effective way to protect sensitive data is to pseudonymize it. Even third parties should only use tokens instead of clear-text data to process payments and store sensitive data. If hackers get access to these tokens, the data is useless. This also reduces stress on both sides: for businesses and consumers.