376,000 credit card holders' details stolen in breach
The full credit card details of more than 376,000 people who took advantage of a customer loyalty offer have been stolen in a criminal attack.
The personal details of 1.12m clients were also taken in the data breach at Loyaltybuild, based in Ireland.
Full card details were taken from 70,000 Supervalu Getaway customers and 8,000 AXA Leisure Break customers.
The Data Protection Commissioner said another 150,000 clients' details were "potentially compromised".
The commissioner said: "The initial indications are that these breaches were an external criminal act."
The Office of the Data Protection Commissioner (ODPC) in the Irish Republic received a preliminary report following an inspection at Loyaltybuild in Ennis, County Clare.
It said it would fully assess the findings and make a number of recommendations to Loyaltybuild.
The commissioner warned customers to be vigilant with their accounts and to report any suspicious transactions to their card company.
Earlier, it emerged that supermarket chain Supervalu had asked 62,500 people involved in its Getaway Breaks scheme to contact their banks - 6,800 of them from Northern Ireland.
Data Protection Commissioner Billy Hawkes said that affected customers should check financial transactions on cards over the last two years.
"It's important that the customers affected actually look and check with their financial institutions, identify if there are any transactions they didn't authorise," he told Irish State Broadcaster RTÉ.
In a statement on its website, Loyaltybuild said: "As part of our ongoing investigation, into a system breach identified last month, Loyaltybuild has discovered that it has been the victim of a sophisticated criminal attack.
"We are working around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers, who are of paramount importance to us."
End Quote Loyaltybuild statement
We are working around the clock with our security experts to get to the bottom of this”
The breach was discovered on 25 October and a third party firm has been running forensic tests.
Supervalu said the incident was more extensive than initially thought. Customers who made Getaway Break bookings between January 2011 and February 2012 have been advised to contact their financial institutions.
Customers are also being warned to treat any unsolicited communication claiming to represent Supervalu, Getaway Breaks or Loyaltybuild with "extreme caution".
Supervalu said it was continuing to work with Loyaltybuild to resolve the issue as quickly as possible but had also engaged its own IT security consultants to investigate the Loyaltybuild system.
It also emphasised that the breach of security was in data collected and held by Loyaltybuild on Getaway Breaks customers only and did not involve other customers of Supervalu.
AXA Ireland confirmed its customers' data may also have been compromised by the Loyaltybuild breach.
In a statement, the company said: "Loyaltybuild's forensic team has now advised that there is a high risk that an unauthorised third party accessed details of payment cards used to pay for AXA Leisure Breaks between January 2011 and February 2012.
"This investigation is still ongoing in relation to whether other personal data of customers has been compromised," it added.
AXA said all other customer transactions by payment card were unaffected.
Stena Line has said it is working with LoyaltyBuild to establish the extent of the security breach after it was involved with what the company said was a small scale, tactical hotel promotion.
It urged customers to contact Stena Line at 01 204 7777 if they have concerns over the breach.