The reward schemes of at least 10 leading retailers have been compromised by hackers, with numerous fraudulent loyalty point accounts available on the dark web in exchange for Bitcoin, according to security experts.
Hackers appear to have obtained the information through a variety of means, including exploiting vulnerabilities in retailers’ platforms, targeting individuals, and compiling information from third-party sites.
Those accounts are then being fraudulently used to redeem a variety of free items, according to cyber security firm CyberInt, which collects and analyses data from multiple online sources.
CyberInt recently revealed that the pub chain JD Wetherspoon had been hacked, leading to more than 650,000 customer email addresses, phone numbers and dates of birth having been stolen. These details were also for sale on the dark web.
The company would not identify all retailers, but it has named a leading UK supermarket and the sandwich chain Subway customers as among the targets.
However, a spokeswoman from the sandwich chain said the theft of loyalty card accounts is due to third-party sites being hacked, and said the chain has not been subject to a data breach. She added the very limited customer information it holds on its system is secure.
Elad Ben Meir, veep at CyberInt, said the company’s research suggested loyalty card fraud is a “significant” and growing problem. The firm uncovered the fraud by monitoring forum activity on the dark web.
This is not the first time reward schemes have been targeted in this way. In January, United Airlines and American Airlines both admitted that a number of their customers’ air miles accounts had been compromised and used to book free travel or acquire upgrades.
According to security experts the practice of targeting retailers' loyalty card schemes is an 'industry-wide' problem for retailers. James Chappell, co-founder of Digital Shadows, said loyalty schemes are commonly targeted as they are easy for hackers to monetise.
"We do see a lot of forum activity and various discussions about people talking about monetising loyalty cards. Some brands are certainly targeted more frequently than others," he said.
"It is a pretty significant problem, but is is something retailers possible build into the cost of doing business. It's harder to report, and police do take an interest. It's also something customers may not notice," he said.
He added that improved authentication techniques and correlating where customers log in against their registered details might help retailers tackle the fraud.
The spokeswoman from Subway said: "We believe that past data hacks of other online systems have resulted in a large volume of personal information being available online. This data, stolen from other sites, appears to have been used to access otherwise secure sites where the user had common usernames and passwords across many or all of the applications they used."
She added: "We would like to reassure our customers that our own systems were not breached and no personal data would have been revealed. We would also like to note that we do not hold any customer bank or credit card details as this information is not required as part of the loyalty scheme." ®