Mastercard Alerts Privacy Watchdogs After Loyalty Program Leak
Mastercard Tells Belgian, German Privacy Watchdogs of Breach
(Bloomberg) -- Mastercard Inc.’s European unit formally notified Belgian and German data-protection regulators of a data lapse concerning a loyalty program, officials said on Friday.
The Belgian watchdog said in a statement on Friday that the card company alerted it to a “breach” detected on Aug. 19. It said the episode would have affected a “large number” of people and that “a significant portion” of them would be German customers.
The regulator in Hesse, Germany, said in a separate statement that Mastercard Europe SA was investigating and had already taken remedial steps and deleted any personal data that had been published online.
European Union data protection rules oblige companies to notify regulators of any possible data breaches within 72 hours and inform affected customers if the breach poses a potential risk for them. The EU rules, in force since May 2018, give the bloc’s privacy regulators new powers to fine companies as much as 4% of annual sales for the most serious violations.
Mastercard said in a statement that the incident “has no connection to Mastercard’s payment transaction network.” It said “there was an event involving the Specials loyalty platform in Germany managed by a third-party vendor, which resulted in the unauthorized distribution of certain information.”
“We take privacy and security extremely seriously and are taking every possible step to investigate and resolve the issue,” it said. “This includes informing and supporting those cardholders affected and immediately suspending the Specials platform, among other actions.”
David Stevens, chairman of the Belgian Data Protection Authority, said the agency had “received a lot of questions and complaints since the announcement of this incident” and “we want to reassure users.”
“We have contacted Mastercard in order to get additional information” and the regulator is “following this case closely together with the Hessian data-protection authority and all the other possible concerned authorities,” Stevens added.
--With assistance from Jenny Surane.
To contact the reporter on this story: Stephanie Bodoni in Luxembourg at sbodoni@bloomberg.net
To contact the editors responsible for this story: Anthony Aarons at aaarons@bloomberg.net, Peter Chapman
©2019 Bloomberg L.P.