Mastercard’s Priceless Specials loyalty program gets breached exposing customer information

• The exposed information includes customers' names, dates of birth, gender, email addresses, phone numbers, home addresses, payment card numbers, and the time of first registration with Priceless Specials.
• Mastercard suspended the German Priceless Specials loyalty program and took down its website, leaving a message that says “This issue has no connection to MasterCard’s payment network.”

What’s the matter?

Mastercard exposed Microsoft Excel spreadsheets containing lists of roughly 90,000 and 84,000 rows of customer data on the internet.

The big picture

The customer data leaked on the internet were limited to the Priceless Specials loyalty program. The data was exposed after Mastercard's Priceless Specials loyalty program was breached.

Mastercard became aware of the breach on August 19, 2019. Upon which, the organization launched an investigation on the incident and took the immediate steps to remove the leaked information. It also requested all sites where the information was published to delete them.

On August 21, 2019, Mastercard learned that the second file containing customers’ personal information was published on the Internet. It is currently working to remove them as well.

What information was exposed?

The exposed information includes customers' names, dates of birth, gender, email addresses, phone numbers, home addresses, payment card numbers, and the time of first registration with Priceless Specials.

However, no access data, passwords, or payment card details such as expiration date and CVV numbers were published.

What was the response?

Mastercard suspended the German Priceless Specials loyalty program and took down its website, leaving a message that says “This issue has no connection to MasterCard's payment network”.

• Mastercard reported the data leak incident to the German and Belgian Data Protection Authorities (DPA).
• It has launched an investigation on the incident and is currently in the process of removing the published information and reviewing its security measures in order to prevent such incidents from happening in the future.
• The organization is also actively monitoring whether the personal information of its clients is posted on other Internet servers.
• Furthermore, Mastercard is offering one-year free credit monitoring and identity theft prevention services for all the impacted customers.

“We have received a lot of questions and complaints since the announcement of this incident, we want to reassure users: we have contacted MasterCard in order to get additional information, and are following this case closely together with the Hessian data protection authority and all the other possible concerned authorities,” David Stevens, Chairman of the Belgian Data Protection Authority said.