150,000 Boots Advantage Card accounts affected by password stuffing

The company's IT team discovered "unusual activity" on numerous accounts

Boots was forced to suspend payments using its loyalty points system after discovering a potential security incident affecting 150,000 users of the drugstore chain’s loyalty programme.

A spokesperson for the company confirmed that they had contacted “a small number of our customers to tell them that we have seen fraudulent attempts to access boots.com accounts”.

This was after our IT security team spotted unusual activity on a number of Boots Advantage Card accounts, including attempts to access and spend Boots Advantage Card points,” said a spokesperson for the company, who assured that the email and password details were not acquired from Boots. 

“As an extra precaution we have temporarily stopped payment by Boots Advantage Card points on boots.com or in store. This removes the ability for people to attempt to access any Boots accounts, but means that customers will not be able to use Boots Advantage Card points to pay for products in store and online for a short period of time.”

One in 20 Britons (14 million people) had signed up for the Boots’ Advantage Card system, meaning the as yet unknown perpetrators of the cyber attack could have breached the data of a large user base. Details of the cyber attack are thin, but Boots said the attackers had tried to spend customer Advantage points through the card loyalty system. 

The attack is an example of 'credential stuffing' or 'password stuffing' whereby usernames and passwords of other online services are acquired and then used to try and login to other services in the hope that the credential will have been reused. As such, the cyber attack was made against Boots, but did not involve compromising Boots' database or online service directly. 

The cyber attack follows two similar incidents from earlier this week, involving free railway station wi-fi provider C3UK and Tesco’s Clubcard loyalty system. Around 600,000 accounts were believed to be hacked using stolen username and password combinations from other sites as scammers attempted to redeem vouchers amassed by Tesco’s shoppers.

Estimates from price comparison site Money Guru claim that any data stolen from Clubcard holders could be being traded “in Dark Web marketplaces” for as little as £2.70, while the average Briton's entire online identity could be bought for "less than £750".

“People’s data is so cheap simply because it’s so easy to get hold of,” said Jake Moore, a cybersecurity specialist at ESET. “Personal information is breached on what seems like a weekly basis, and then quickly features on the dark web for sale.”

Moore added that there is a “need to help educate people to look after their own personal cyber security”. 

“It’s insane that people are still using the same three passwords across all online accounts, and once one or two are compromised, the third is usually guessable,” he said. “When data is stolen there’s very little we can do about it. What we can do, though, is to be on alert for phishing emails, implement 2FA where possible, and start making all passwords unique for all sites.” 

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

3 Aug 2020