PC Optimum program hit with more security issues

Consumers complain of hacked accounts and stolen points even after passwords were reset
4/17/2018

Loblaw is dealing with new questions about security of its PC Optimum rewards program following more reports of customers having their points stolen.

The latest incidents, according to a report by CBC, include people who say they were hacked, changed their passwords (as Loblaw recommended) and still had more points stolen.

Loblaw said it had identified the problem and made the necessary correction. “We know this has been an inconvenience and concern for some members,” said Catherine Thomas, senior director, external communications for Loblaw Companies Ltd., in an email to Canadian Grocer. “Their personal information is safe and every last point will be restored.”

The new problems emerged more than two months after the company combined the legacy Shoppers Drug Mart and Loblaws loyalty programs, and after repeated customer claims about having their accounts hacked and points redeemed.

READ: PC Optimum members say accounts hacked, points stolen

According to the latest CBC story, a program member from Kitchener, Ont. noticed 240,000 points had been used at a Pharmaprix drugstore in Montreal. He reported the problem, created a stronger password and two days later another 10,000 of his points were redeemed at the same Montreal stores.

The CBC reported it had been contacted by more than 40 PC Optimum members claiming to have had points stolen with values ranging from $120 to $1,160.

Another customer in Halifax reported similar issues: he noticed missing points, reported it, changed his password and then another 80,000 points were redeemed in Montreal. He also noticed that when he accessed the app on his phone, he didn’t have to enter his new password.

This appears to be the source of the problem, according to Loblaw.

“As part of our password reset process, devices—like a mobile phone—attached using the original account password may have continued to have access to points,” said Thomas. “This means that in a very small number of cases, even after a password change, points may have been available to unauthorized devices or devices added in error.”

That flaw has been corrected and members who were potentially affected were notified and any lost points will be restored.

Loblaw partnered with British digital marketing and loyalty platform Eagle Eye to launch the new PC Optimum program, but Eagle Eye told Canadian Grocer it is not responsible for password management and described itself as "the transactional engine of the PC Optimum program." Loblaw seemed to be taking full responsibility for recent glitches.

Loblaw and Shoppers Drug Mart have heard other consumer complaints beyond security concerns since merging the programs and have made moves to address those concerns as well.

“We know some members have had challenges with the conversion and have had unacceptable wait times for resolution,” said Thomas. “We are also working diligently to speed our customer service, having doubled our resources over the past two months.”

Nearly nine million members are signed up for the program, (up from six million at the end of February) and almost all of them have had no security problems, she said.

“The PC Optimum program is more secure than either of our legacy programs,” said Thomas. “We are continually reviewing our security and routinely adding new safeguards, steps and mechanisms. Like any online business or digital service, our security will evolve to meet new challenges and our customers’ expectations.”

X
This ad will auto-close in 10 seconds