back to article At least 10 major loyalty card schemes compromised in industry-wide scam

The reward schemes of at least 10 leading retailers have been compromised by hackers, with numerous fraudulent loyalty point accounts available on the dark web in exchange for Bitcoin, according to security experts. Hackers appear to have obtained the information through a variety of means, including exploiting vulnerabilities …

  1. 2460 Something
    Facepalm

    Ouch

    Not again. Surely at some point all of these companies should have to look to how much they invest in the security of all customer data that they hold and either be required to put better safeguards in place, or close the scheme and bow out of something too prohibitive to maintain. Unfortunately as they are more likely to be using the loyalty information to build customer profiles / trends it is more at risk from 3rd party loss at whichever company they employ to do the data mining for them. Just a shame non of them are ever held to account for it.

    1. Dan 55 Silver badge

      Re: Ouch

      Half of it is PHP-driven SQL injection bollocks. It should basically be illegal for a company to make a site without showing that they've thought about security.

      The other half is people using the same e-mail and password for everything. Sites with loyalty cards should ask for the loyalty card number too (something you have).

      1. Anonymous Coward
        Anonymous Coward

        Re: Ouch

        > Sites with loyalty cards should ask for the loyalty card number too

        Well the Shell site does, and it's bleeding annoying. The number is way too long to want to type in and is written in far too smaller text to read without finding my better reading glasses and then they're to powerful to allow me to focus on the screen again, so I need to switch back and forth between pairs of glasses and yes both pairs of variably focus jobbies. ARGH!

        It does rather stop the system being customer friendly.

      2. 2460 Something

        Re: Ouch

        And both of these need addressing. I completely agree that there should be some form of legal requirement for companies to provide evidence of a good security plan, but that should also include updates on regular maintenance schedules etc. Some form of guidance that states the level of additional security required based on what type of data is being stored. The current legislations do not go far enough to protect the consumer.

        Education of end users is equally important. I have set up all of my immediate family with different password management regimes based on their individual technical capabilities and needs. Good security doesn't have to be onerous, it should, however, reflect the same risk vs impact model. If you are only ever getting your email, doing a bit of skype and facebook having them written down in a notebook at home is fine. If you need to do shopping online or internet banking, encryption is a must.

        As you say, lots of people use a generic username and pasword for everything, the number of people who's accounts are compromised on one site and so therefore compromised everywhere is staggering. But if they don't know any better can we blame them? Bad information from the media, ridiculous and inconsistent application of the Data Protection Act which is only followed when it suits the company, mixed messages from most companies and banks. If a company rings me up, they absolutely should either have a completely different authentication method from when you call them, OR provide a reason behind the call and ask you to call them back at your convenience (and expect you to use the numbers for them you already have). Instead they immediately start asking for Name (Wait, didn't you just call me?), DOB, Address. Making all of this information easy pickings for social engineering.

    2. Unlimited
      Devil

      Re: Ouch

      >companies should have to look to how much they invest

      They do, regularly.

      The decision is usually: IT costs too much, let's run it into the ground and eventually outsource it to the CEO's friends company so we can focus on our core goal of making sure management gets richer.

  2. Zog_but_not_the_first
    Facepalm

    The Internet...

    ... is broken.

    Well, somebody had to say it.

    1. Roger Greenwood

      Re: The Internet...

      Mr Trump suggests we shut down the bad bits of the internet. Apparently he "knows a guy".

      1. DavCrav

        Re: The Internet...

        "Mr Trump suggests we shut down the bad bits of the internet."

        If we shut down the bad bits of the Internet, all that will be left is the porn. Sometimes people need something else though, so that's clearly a non-starter.

        1. John Sanders
          Holmes

          Re: The Internet...

          I think he was talking about shutting down the internet for ISIS, as in shutting it down via regional BGP, not blocking individual websites.

          I'm surprised this hasn't been done earlier.

          1. Anonymous Coward
            Anonymous Coward

            Re: The Internet...

            >as in shutting it down via regional BGP, not blocking individual websites.

            >I'm surprised this hasn't been done earlier.

            Wow American poster? Would explain the wonder at why unilaterally the "good" guys can't just decide who the "bad" guys are and instantly punish them and only them with said "bad" guys obviously having no recourse (the baddies never figure a way around blanket fixes huh). Its the kind of thinking that causes an AC-130 gunship to continue to strafe a hospital until many of the doctors and patients are dead and then denying and blaming others until the truth comes out.

          2. Dan 55 Silver badge
            Trollface

            Re: The Internet...

            Good idea, deep packet inspection filtering against the IP header modification proposed in RFC 3514. We have to ask ourselves why there are so many interested parties actively stopping this being rolled out and what action we can take against them.

          3. John Brown (no body) Silver badge

            Re: The Internet...

            "I think he was talking about shutting down the internet for ISIS, as in shutting it down via regional BGP, not blocking individual websites."

            Oddly enough the World Wide Web and the Internet that it runs on is...erm....world wide. Some of those so-called ISIS sites may well be hosted in the UK, the USA, or just about anywhere else in the world. Just like the people who claim to be ISIS. Good luck with that.

            1. Danny 14

              Re: The Internet...

              China has a great firewall, Trump is just jealous of it.

              I for one welcome the US and its 80% of worldwide spammers being walled in.

  3. Anonymous Coward
    Anonymous Coward

    My PI

    Is not given away freely nor for sale.

    1. Danny 14

      Re: My PI

      PI2 is better, the extra RAM alone makes a difference.

    2. Dave559 Silver badge

      Re: My PI

      The snag is that while standard 'loyalty card' schemes generally offer fairly small perks and are often barely worth the effort (from the customer's point of view), increasingly the marketing weasels are getting ever more sneaky in their attempts to force-feed you their spam like a foie gras goose, and some store chains (I won't give them the oxygen of publicity by naming them) now have even more sleazy 'membership' schemes where you have to opt-in to their relentless deluge of spam to be able to shop at "members'" prices, or they offer you quite a non-trivial discount (say, 10%) off your next purchase if you sell your soul. The worst thing about these schemes is that if you refuse to allow yourself to be ducked in the swamp of spam, you effectively end up being surcharged considerably otherwise. If I get a good service from your shop, I will happily shop at it (and I will tell my friends) but if you try to spam me in any way whatsoever, you'll just piss me off no end.

      When will the marketing weasels learn that the more you spam me, the far less likely I am to shop at and have goodwill for your shop? And the bastards rarely ever respect the "opt-out" (should be "opt-in" to be properly compliant with the Data Protection Principles) tick box or permanently remove you from their spam list (if you unsubscribe) either, despite both of these being illegal?

  4. clocKwize

    rewrite of subways response: Hey, the personal data you gave us, that we gave to a third party got stolen, BUT IT WASN'T US! WE AREN'T RESPONSIBLE! LOL

    1. Hawkeye Pierce

      Indeed. In the same way that if I buy something from an online retailer and the delivery company fouls up then it's the retailer that has to put it right, then it should also be Subway's problem if the data I've given it is leaked. Doesn't matter who leaked it, I gave it to Subway and from that moment on, it should be their problem to ensure it's safe.

  5. joed

    But why

    would anyone provide real name, birth date and non-junk email to bs like this? Would they also give SSN if asked?

    Facebook syndrome I guess.

    1. Anonymous Coward
      Anonymous Coward

      Re: But why

      If you are using Tesco Clubcard loyalty points to purchase stuff,say, Tesco need your real name, real address and a live email in order to deliver your stuff to you.

    2. John Sanders
      Pint

      Re: But why

      Up voted, my colleagues always make fun of me because I use different fake identities for this garbage.

    3. Ian Bush

      Re: But why

      Why does a sandwich company need any of this at all?

    4. Anonymous Coward
      Anonymous Coward

      Re: But why

      SSN= "Social Security Number* (not Ship Submersible Nuclear**) I presume.

      *something like the National Insurance number for we Brits.

      **'Fleet submarine', nuclear-powered hunter-killer, for we Brits.

      1. Terry 6 Silver badge

        Re: But why

        You know your NI number?

        You even know where to look for it?

        I bet most ordinary folk don't even remember they have one. Until they really need it.

        1. CrazyOldCatMan Silver badge

          Re: But why

          > You know your NI number?

          Yes. It's a pretty short combo of alphanumerics to remember. Shame it's not computable like the driving licence number..

          1. Danny 14

            Re: But why

            I do indeed. Many many years ago I used to be part of the Air Cadets. On the little book you have is your NI number and during the really boring times (usually waiting for your flight) you read your 3822 from cover to cover. I memorised my NI number many times (and pretty much the entirety of the 3822)

    5. Dave559 Silver badge

      Re: Date of birth

      The marketing weasels often make the Date of Birth field compulsory to fill in on the form (presumably because they want this in order to segment people by age ranges, and in a very few cases because of legal requirements for age-related products), and sadly, most people are too trusting to even think of giving a false date.

      The big problem is that if the date of birth is stolen it can be used in identity theft attempts. Where there is no legally-required reason for knowing the full date of birth, the marketing weasels should be permitted to only request 'year of birth' (and not the full date of birth) for age range segmentation purposes only. In short, if you don't have a watertight legal requirement for knowing any category of data, you shouldn't be allowed to request it, and the data categories and use purposes should be scrutinised absolutely mercilessly by the Information Commissioner's Office as part of their Data Protection registration process (and their Data Controller Register number and link required to be shown on their website). I'm not holding my breath that this will ever happen, however...

  6. Will Godfrey Silver badge
    Happy

    I feel left out

    I don't have any 'loyalty' cards. Saw through the scam from day one.

    Something for nothing? Oh yeah... about that bridge for sale...

    1. chivo243 Silver badge
      Headmaster

      Re: I feel left out

      @Will Godfrey

      Does it link my recently purchased land in Florida with the part of the Eiffel Tower that I own?

      Sold!

      I'm sure it won't reach to my estate on the Moon.

    2. heyrick Silver badge

      Re: I feel left out

      Something for nothing? Depends upon the card. My last microwave was "free" with loyalty points, and a fast food joint I go to when I'm too lazy to cook something gives you a free meal after so many purchases.

      They have my real name and age (not DOB), the supermarket knows my address (fast food didn't ask). I refused to give phone numbers and email addresses are Yahoo spam trap ones.

      If it is possible to pwn me using little more than what's written on an envelope through the post, I'd say something is wrong with that service. A name and a matching address absolutely does not authenticate a person, having that information just gives one a chance at working as a postal employee...

      1. Conor Turton

        Re: I feel left out

        " My last microwave was "free" with loyalty points,"

        Tesco Clubcard Points have paid for three holidays in France, one in Spain and paid for RAC breakdown cover for the last half decade. Done right loyalty points can be worthwhile.

        1. Cpt Blue Bear

          Re: I feel left out

          "" My last microwave was "free" with loyalty points,"

          Tesco Clubcard Points have paid for three holidays in France, one in Spain and paid for RAC breakdown cover for the last half decade. Done right loyalty points can be worthwhile."

          Once again, no they didn't - you paid for those things with points. You gave Tesco an interest free loan of, if points values are anything like here in Oz, 1% of your spend with them and they repaid it in company scrip.

      2. Tromos

        Re: I feel left out (@heyrick)

        You've paid for your 'free' microwave several times over in the process of acquiring the loyalty points to get it. There's a reason that the best prices and biggest discounts are offered by chains that do not have loyalty card schemes.

        1. heyrick Silver badge

          Re: I feel left out (@heyrick)

          @ Tromos: You won't find a supermarket around here that doesn't have this sort of scheme, unless you count little things like "Casino" that double the price automatically "because they are local". As such, I might as well put those "points" to good use.

          1. Cpt Blue Bear

            Re: I feel left out (@heyrick)

            They don't "double" the price "because they are local", their costs are higher because they lack the leverage to beat down their suppliers, landlords and tax authorities. They also lack alternative revenue streams such as selling shelf space and position*

            * It was a badly kept secret that Coles (one of Oz's two big chains) made more money selling shelf space to the local Coca Cola licensee than selling their product.

        2. J Bourne

          Re: I feel left out (@Tromos)

          But what you forget is this: those customer's without loyalty cards don't pay a lower price for the same goods that I buy. They just get the goods, I get the goods plus a percentage of my spend back to spend again. Effectively giving me a lower price (yes, I take the monetary value of my points once a year at the checkout) I effectively get a free large weekly shop once a year. All the non-card holders help to subsidise that.

          1. Joseph Eoff

            Re: I feel left out (@Tromos)

            QUOTE J Bourne:

            "But what you forget is this: those customer's without loyalty cards don't pay a lower price for the same goods that I buy. They just get the goods, I get the goods plus a percentage of my spend back to spend again. Effectively giving me a lower price (yes, I take the monetary value of my points once a year at the checkout) I effectively get a free large weekly shop once a year. All the non-card holders help to subsidise that."

            Which pisses me off no end. I am penalized for keeping my private information private, and the penalty I pay goes to twats like you.

    3. Tim 37

      Re: I feel left out

      > I don't have any 'loyalty' cards. Saw through the scam from day one.

      I too have skipped all the offers for loyalty cards. I did hear that some retailers were profiling our shopping habits anyway linking us via our bank card usage. Time to go back to using cash?

      1. EddieD

        Re: I feel left out

        I'm actually paranoid enough to use cash for most of my purchases - shopping for food mainly at a local market that only accepts cash helps with this. And at the supermarket it stops my bank telling my insurers just how much I drink per week...

        I'm reminded of a Calvin and Hobbes cartoon:-

        http://assets.amuniversal.com/d011b090df960131725e005056a9545d

        1. Danny 14

          Re: I feel left out

          normally I would agree, except I have a Sol Melia card. You get points if you stay in the hotel chain and we pretty much always take a holiday in a Sol Melia hotel. Year before last we spent our accumulated 100,000 points (about 10k of holidays worth) on Christmas presents, we got about £300 of kit back. We would have gone to the hotels anyway so it wasn't like I went out of the way to get them (and Quidco cashback is compatible with the card as the points are added by the hotel when you get there not the purchase). The more points you get the more perks you get in the hotel too so we now get free late checkouts, free wifi, free bottles of water on check in etc - again nothing too heavy but little extras for what we would have gone for anway (late checkout is great for canary island flights for example and can save a hundred quid. Free wifi is also useful)

          I don't bother with pub/subway/Tesco cards although I know many people who hoard Tesco vouchers and spend them on offers when they come out (brother in law got big discounts on Disney hotels) but you have to be fairly savvy to get those deals.

          Not sure on airmiles/avios/whatever they are. I did register some a long time ago (did a one-world ticket around the world backpacking) but didn't do anything with the points - still registered to an address that is now bulldozed....

      2. Dave559 Silver badge

        Re: I feel left out

        > I did hear that some retailers were profiling our shopping habits anyway linking us via our bank card usage.

        That sounds legally very dubious; not that that would probably stop them, especially given that a lot of "CRM" software (sorry, excuse me while I wipe away the sick) comes from the USA, whose pitiful laws on Personal Data can generally be summarised as, "Painfully reap them for all that you can", and such software probably has such functionality built-in and enabled by default (I won't even mention Unsafe Harbor). I would have thought and hoped that EU Data Protection laws would permit payment card data to be used strictly only for processing the actual payment.

    4. Terry 6 Silver badge

      Re: I feel left out

      Sometimes on this site we need to step back and remember most people are not tech aware.

      Most probably don't even understand that they are giving away data, let alone where the data goes and how it's used. So they are not making "informed choice".

      They are just collecting their "loyalty points" so that after 10 visits they can have a free portion of fat salt and sugar.

      Yes, we know. And as tecchies of one sort or another we should be letting everyone know what it's about. But there's no point smugly deriding ordinary shoppers going about their lives if we haven't tried to enlighten them.

  7. MJI Silver badge

    Subway

    Hand you a card, use it once OK, go back later, card not valid, get new card, rinse and repeat.

    They mentioned using something on a mobile telephone, no thanks.

    Got a good supply of ice scrapers/door openers ect

    1. Inventor of the Marmite Laser Silver badge

      Re: Subway

      etc. As in Et Cetera. Literally: "and the rest"

  8. Anonymous Coward
    Anonymous Coward

    Possibly a foolish way to look at it but I assume that any information I give to a company is freely available to the world. The company may promise to keep my details safe and they may even have a half way decent go at doing it but I can't verify that. In reality though a lot of companies don't store the details very securely and some occasionally get hacked.

    Being a regular internet user I've got about 200 accounts that have varying amounts of personal info. Over the years half a dozen have been hacked that I know of and probably a load more that I don't know about. There's nothing I can do about that information now it's got free and there's the problem. Some of your information (e.g. your email address) is only as safe as the weakest link.

    1. Doctor Syntax Silver badge

      "Some of your information (e.g. your email address) is only as safe as the weakest link."

      Which email address would than be? People who are likely to be long term suppliers get their own address, these days the rest get one which is used for a few weeks & then torn down (they used to get a hotmail address). An email address doesn't need to be "your information" for any greater value of "your" than you choose to make it.

    2. a_yank_lurker

      Some information is available, legally, through various directories such as residence. Some is probably available by peruse a person's posts on Facebook. Now one is left with getting SSN/national id, credit card data, etc. that should be available.

      Another thing a customer loyalty cards, the initial information is accurate but how often is it updated. Some of mine, the address, phone, and email are totally wrong - they are that old.

  9. Mark 85

    Only one loyalty card here.. and no info given to the company other than name and home phone number. We've moved, got a new number and never updated the card and they don't ask. It's s supermarket card that gives me points for a discount from their filling station. They demanded an email addy and got one... a throw away which I've never even accessed. OTOH, I regularly save 50-70 cents per gallon when I top off the tank. Every other place wants too much info, and I'll be damned if they can have it. Same for store credit cards that offer "discounts" with the high interest rate and a rep for killing your credit score... kiss my tuckus.

  10. Stevie

    Bah!

    At what point do the information hoarders of the western world get a clue and start encrypting the bloody data? All of the data.

    Since they can't stop it wandering the sodding least they could do is to make it unreadable.Yet no-one does.

    I'm surprised the Chechnyan teens bother with such trivia when the Preston Megastore is sitting there likely with its thighs apart saying take me for all I've got big boy.

  11. John Brown (no body) Silver badge

    Who?

    It's really not much of a story if "named a leading UK supermarket" isn't actually named in the story. If it's really 10 loyalty card schemes potentially affecting millions of people, why the hell is the story not digging out the the information? Are they all UK loyalty card schemes or is it some single multinational company operating schemes on behalf of other companies around the world?

    This feels like a re-worked press release with some relevant padding from previous hacks added in to make a story with little substance and no actual journalism. Did El Reg even try to contact anyone about this? I'm guessing not since normal practice is to include a not at the bottom saying no one was available for comment.

  12. Dave559 Silver badge

    Does there need to be a mandatory Information Security audit for every Data Controller?

    Does there need to be a mandatory Information Security audit for every Data Controller?

    On so many occasions, data theft seems to be the result of poorly-developed and insecure web applications.

    Should it perhaps be part of the Data Controller registration process that the Data Controller's systems should be formally audited and penetration tested, perhaps using something similar to the OWASP guidelines <https://www.owasp.org/> before permission to process data is granted?

  13. Anonymous Coward
    Anonymous Coward

    Paperless vouchers

    I try to game the system by nevertheless having 'loyalty' cards, to try to encourage the supermarkets to stock the products that I like to buy in the supermarket nearest me (and not only in the larger suburban ones), although their Big Data doesn't seem to have picked up on this (probably because they only see me buying these occasionally, because I can only occasionally go to the suburban supermarkets, hmm..).

    One of the well-known UK loyalty schemes lets you get your discount by swiping your card, which is nice and simple. The other well-known scheme insists on sending you paper vouchers by post, which is a real hassle (you'd almost think that they're trying to make it hard for you to reclaim your discount). Why can't they all just work by card swipe?

    And to make it worse, the otherwise paperless scheme has recently also started to spew out gazillions of paper vouchers for other offers at the till. Can't they just give you the offer automatically when you swipe your card? Life is too hectic to want to have to stuff your wallet full of annoying paper vouchers!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like