heise Security has been alerted to a list of nearly 90,000 personal details that should come from the Mastercard bonus program Priceless Specials. The Excel spreadsheet contains the first and last name, date of birth, e-mail address and often the postal address and mobile phone numbers of the persons. According to an initial analysis by heise Security, the data seems to be real – if they are not, then someone has gone to great lengths with the fake.
The list contains almost exclusively people with postal addresses in Germany, including almost 60 entries that seem to come from Mastercard employees. Several hundred records seem to associate employees of German financial institutions.
On Monday afternoon, Mastercard's bonus program was still available. When heise Security made the company aware of the potential data leak, Mastercard immediately closed the page. "Mastercard has been alerted to a problem with our Priceless Specials platform," the credit card company told heise online. "We take privacy very seriously and are exploring this issue with great urgency, and we have shut down the Priceless Specials platform as a precaution." At the same time, the company assures that the data leakage "is not related to the payment network of Mastercard".
If the data is real, then the Excel spreadsheet is a valuable resource for online crooks. Usually, such information is misused for phishing emails, for example. The online crook knows in this case that his victim has a mastercard in spe and would probably send a phishing mail in Mastercard design. Once the credit card company announces further details on the potential data leak, we will report it.