Second cyber-attack on a retailer’s loyalty card scheme in the space of a week sees High Street chemist Boots suspend Advantage Card payments
Criminals have attempted to hack into Boots customers’ accounts, using details stolen from other websites.
Boots has taken the decision following the cyber-attack to suspend Advantage Card payments, meaning customers will not be able to use their Advantage Card points to pay for products for the time being.
This is the second such attack on a British retailer in the space of a week. Tesco earlier this week warned of “fraudulent activity” surrounding some account holders of its Clubcard loyalty scheme.
Tesco said that no customer’s financial data accessed, and it doesn’t seem to be a hack of Tesco’s internal systems.
Rather, it seems that someone stole password/username combinations from other website(s) and used them to try to access Tesco accounts.
Indeed, the stolen information was reportedly utilised in order to try to gain access to up to 620,000 Clubcard accounts in total.
Boots likewise said none of its own systems were compromised, but that it had suspended payments using the cards while the problem was dealt with.
The attempted hack reportedly affected around 140,000 of the company’s 14.4 million Advantage Card holders.
Boots stressed that no credit card information had been accessed.
“We are writing to customers if we believe their account has been affected,” Boots was quoted by the Daily Mail as saying in a statement.
“If their Advantage Card points have been used fraudulently we will, of course, replace them,” it said. “These details were not obtained from Boots.”
The second such attack on a British retailer in the space of a week has prompted a response from a number of security experts.
“News of attempts to break into customers’ loyalty card accounts using stolen passwords, points to a growing trend: retailers’ schemes can be all too easily exploited using credentials from unrelated breaches as Tesco and Boots have experienced,” said Jeremy Hendy, CEO at security specialist Skurio.
“We are seeing that stolen subscription credentials are increasingly used as currency on the black market,” said Hendy. “Some attacks are simply opportunistic attempts to re-sell active subscriptions for services like Spotify and Netflix to third parties. The bottom line is that once customer credentials are breached for one business there is a ready market of criminals looking to exploit them further.”
“It’s further evidence of the importance of routinely monitoring for exposed data outside their network,” said Hendy. “Early breach detection for compromised credentials means businesses are far better equipped to take proactive action; if data has been leaked onto the Dark Web, there’s a lot that can be done to minimise damage. The most important thing is to make sure is that you know that it’s happened – and then take action as quickly as possible.”
Another expert pointed to the important of affected customers changing their passwords as soon as possible.
“Passwords, along with other personal information are becoming more readily available to cyber-criminals thanks to the number of major data breaches we’ve seen in recent years,” said Frederik Mennes, director of product security at OneSpan.
“Those affected by the Tesco Clubcard and Boots Advantage Card attacks should act quick to change their passwords, and ensure they’re not reusing the same password across other accounts,” said Mennes.
“For businesses, this is another sign that a more dynamic and agile approach to authentication is needed, as opposed to relying on static data such as passwords,” said Mennes. “The best way for businesses and consumers to scrap passwords without compromising security, and the user experience, is to use a combination of multiple, layered authentication technologies, such as biometrics, behavioural analysis, one-time push notifications, or authentication on an additional device.”
Do you know all about security? Try our quiz!