The rewards programs for at least ten different leading retailers have been compromised by hackers. On the dark web, there are currently many fraudulent loyalty point accounts available for purchase using Bitcoins. The most notable company to be affected is popular sandwich maker Subway.
The hackers obtained the rewards accounts by exploiting vulnerabilities within the platforms of the retailers. They also targeted rewards users, and stole information from third-party websites. After obtaining the information of the accounts, the accounts are fraudulently used to obtain a variety of free items through the rewards programs of the stores.
One British pub chain called JD Wetherspoon was hacked, with the information of more than 650,000 of the store’s customers being compromised. This personal information can be purchased on the dark web. Some of this information includes email addresses, phone numbers and dates of birth.
Not all of the retailers that were affected have been revealed. However, it has been confirmed that Subway and a leading supermarket chain in the United Kingdom have been targeted. Subway has since stated that the theft of its loyalty card accounts was caused by the hacking of a third party website. The sandwich chain has insisted that it has not been the subject of a data breach.
A Subway spokesperson said, "We believe that past data hacks of other online systems have resulted in a large volume of personal information being available online. This data, stolen from other sites, appears to have been used to access otherwise secure sites where the user had common usernames and passwords across many or all of the applications they used. We would like to reassure our customers that our own systems were not breached and no personal data would have been revealed. We would also like to note that we do not hold any customer bank or credit card details as this information is not required as part of the loyalty scheme."
Last January, both United Airlines and American Airlines revealed that many of the air miles accounts of their customers had been compromised and later used to book free air travel or obtain various upgrades.
According to security expert James Chappell, the stealing of the information of rewards cards is a problem throughout the retail industry. Such schemes are an easy way for hackers to make a quick buck.
Chappell said, “We do see a lot of forum activity and various discussions about people talking about monetizing loyalty cards. Some brands are certainly targeted more frequently than others. It is a pretty significant problem, but it is something retailers possible build into the cost of doing business. It's harder to report, and police do take an interest. It's also something customers may not notice.”
Chappell believes that the problem could be combated by improving authentication techniques and correlating where customers log in versus their registered details. It is unknown if any retailers plan to put in such measures to protect their customers in the near future.