Citing "recent industry-wide fraud concerns," popular loyalty points program Scene+ sent an email to members this week informing them of ways to protect their accounts and changes to the program.
It's the latest incident in an increasing trend of cyberattacks and "incidents" that target public and private organizations across Canada, which in the last few months have included the Toronto Public Library, Indigo Books and five hospitals in Southern Ontario.
Scene+ is a free program partnership between Cineplex and Scotiabank, which allows members to collect points for free movies. It's since expanded its rewards to include groceries at some Empire Company-run stores — Sobeys, FreshCo, Safeway, to name a few — and meals at restaurants like Harvey's and Swiss Chalet.
Redditors share loyalty point theft stories
About a month prior to the email that was sent to Scene+ members, a Redditor took to the platform to detail their experience having their Scene+ card “jacked” of all points. Many in the comments shared similar stories about Scene+ and other loyalty program points, like PC Optimum Points — awarded and used at Loblaws-owned stores like Shoppers, No Frills and the Real Canadian Superstore — and Dominos.
“Ever since my PC Points got hacked, I use all my loyalty points as fast as possible,” one person wrote.
“This is nearly as bad as the time someone jacked my free medium pizza from Dominos,” another wrote, adding that they felt "violated."
“Got an email notification one day that my pick up order was confirmed for some random place in Ontario (I’m from PEI) but I had seen it too late. Dominos wasn’t willing to do anything. I just feel violated.”
An expert explains: Companies need stronger security
Gordon Agnew, a professor emeritus at University of Waterloo whose expertise is in encryption and data security, says these types of scams have been going on for a long time. According to the Loyalty Security Association, "$3.1 billion of redeemed loyalty points were fraudulent."
He says the problem is that many companies and loyalty members don’t see points as valuable, so they don’t check or secure their accounts.
In 2018, for example, millions of points were stolen from customers after the company merged its PC Plus program with Shoppers Drug Mart’s Optimum program. While the problem persisted, parent company Loblaw continues to insist that is has strong security measures in place.
“There’s lots of ways for attackers to find (customer loyalty accounts) and a lot of companies don’t put much security on their loyalty program accounts,” Agnew tells Yahoo Canada. “So it’s low hanging fruit.”
Cybersecurity tips: How to keep your loyalty points from getting stolen
As a result, companies are increasingly putting more stringent security measures in place, like secure log ins and multi-factor authentication.
As for consumers, Agnew says they should be sure to use a strong password, but don’t use the same one for multiple accounts.
In their email to members, Scene+ also offered tips on what customers can do to protect themselves from scammers and how to spot phishing scams.
These include creating strong passwords for accounts, keeping passwords and card numbers secure and private, not allowing anyone to take a photo of a loyalty card, and staying up to date with account details.
It also provided ways to avoid phishing scams that trick customers into revealing personal details. It advised to not click links in unexpected emails or webpages asking for account info, verifying that the email address from the sender is legitimate, and being wary if the email is riddled with grammatical errors.