Loblaws PC Plus Rewards Systems Pwned…. I Need To Change My Password

Groceries are not cheap these days. So my wife and I shop at Loblaw where we can earn points on specific groceries that we by which we can then redeem to buy groceries. There have been times where we have redeemed enough points to not have to pay a cent for weeks worth of groceries. That seems like a good deal. Until I woke up this morning and found that the systems that run PC Plus rewards have been hacked. Here’s the details:

Loblaw is warning PC Plus rewards collectors to beef up their passwords after points were stolen from some members’ accounts.

“We are treating this as a breach as individual member accounts were accessed and points were stolen,” said Kevin Groh, the company’s vice-president of corporate affairs and communication, in a statement.

The breach stems from people using favourite or weak username and password combinations across multiple sites, he said.

These combinations were stolen from other sites and used to access PC Plus accounts, according to Groh.

Okay. I will admit that people reusing passwords is a #fail waiting to happen. But this statement does have a bit of a “blame the victim” slant to it as their intrusion detection systems should have been able to detect unusual activity. Assuming that one was in play of course. The way this story reads, it seems like Loblaw found out about this when PC Plus members lost points and told the company. That’s a scenario that should never happen. In the meantime, if you’re a member of PC Points you should change your password to something unique and strong and check your points balance to see if you too have been pwned. I’m advising my wife to do that right now.

UPDATE: I would also strongly recommend that you check to see if there are additional cards on your PC Points account. Reports are now starting to surface that people who have lost points have found additional cards on their accounts. Clearly this is how the points are being stolen.

UPDATE #2: This apparently has been an ongoing issue for Loblaw. Many thanks to “Lisa” who directed me towards this thread on Red Flag Deals that indicates that this hack started late last year. Clearly Loblaw has some explaining to do as they really should have been up front with the public long before now.

Advertisements

9 Responses to “Loblaws PC Plus Rewards Systems Pwned…. I Need To Change My Password”

  1. […] is a bad day for Canadian retailers. Apparently Canadian Tire joins Loblaw in being pwned by hackers as the former has apparently shut down customer access to their online […]

  2. Plus, it would also be helpful if PC allowed you to have a password that was more than 8 characters.

    This isn’t a new thing. It has been reported on redflagdeals as far back as December that this has been happening. PC claimed it had been happening to others as well, but denied at that time they had been hacked.

    This was back in December. Seems they should have done something then to lock people out of their accounts until they changed their passwords!

  3. […] seems that the hack of the Loblaw PC Points rewards program isn’t going away as every member of the rewards program have gotten e-mails over the weekend […]

  4. […] is watching other Canadian companies like Loblaw and Canadian Tire get pwned by hackers and is simply getting ahead of the curve in terms of trying […]

  5. […] that this still has a “blame the user” feel to it. But having said that clearly the Loblaw and Canadian Tire hacks has Canadian businesses […]

  6. […] off a incident where a security issue led to points being stolen, though it’s apparently the users fault for having weak passwords, Loblaw has pushed out […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: