Cyber Incident Victim: Mastercard Priceless Specials

On August 19, 2019, Mastercard discovered that customer data from its German Priceless Specials loyalty program had been published on the Internet. The exposed information included names, payment card numbers, email addresses, home addresses, phone numbers, gender, and dates of birth. Mastercard clarified that the breach was confined to the Specials program and did not involve Mastercard's payment network. The leaked payment card data consisted solely of card numbers, with no compromise of account passwords, card security codes, or expiration dates. Upon identifying the leak, Mastercard promptly suspended the German Priceless Specials platform and took its website offline, replacing it with a notice about the incident's isolation from core payment systems. The company initiated an investigation and requested removal of the exposed data from hosting sites.

Two days later on August 21, Mastercard became aware of a second file containing personal information published online and began efforts to remove it. The company notified German and Belgian Data Protection Authorities (DPAs), confirming the breach impacted personal identifiers (titles, names, birthdates, gender) and contact details (mailing addresses, emails, phone numbers) alongside card numbers. All affected customers were directly informed about the exposure. Mastercard offered complimentary credit monitoring and identity theft prevention services to impacted users. An August 23 update attributed the incident to a third-party vendor managing the German loyalty platform, which enabled unauthorized data distribution. The Belgian DPA chairman confirmed coordination with German authorities and Mastercard to gather additional details while addressing public concerns. No evidence suggested misuse of the exposed data at the time of reporting.