Boots halts Advantage Card payments after cyber-attack

  • Published
Boots Advantage CardImage source, Getty Images

Boots has suspended payments using loyalty points in shops and online after attempts to break into customers' accounts using stolen passwords.

Customers will not be able to use Boots Advantage Card points to pay for products while the issue is dealt with.

Boots said none of its own systems were compromised, but attackers had tried to access accounts using reused passwords from other sites.

It comes days after a similar issue hit 600,000 Tesco Clubcard holders.

A spokeswoman for Boots told the BBC the issue affected less than 1% of the company's 14.4 million active Advantage Cards - fewer than 150,000 people.

But it could not give an exact number as the company was still dealing with the problem.

No credit card information had been accessed, they said.

Suspending payments using points removed the risk of hackers stealing the points to spend themselves, the spokeswoman said.

Customers can still earn points when making purchases, and Boots hopes to have point payments back up as soon as possible.

Image source, Getty Images
Image caption,
Boots launched its Advantage Card in 1997

"We are writing to customers if we believe that their account has been affected, and if their Boots Advantage Card points have been used fraudulently we will, of course, replace them," the company said in a statement.

"We would like to reassure our customers that these details were not obtained from Boots," it added.

The Boots Advantage card lets shoppers collect four points for every £1 spent, and each point is worth a penny. For example, a card with 200 points could be used to pay for an item worth £2.

But the points can also be used when purchasing items online.

So-called "password stuffing" happens when an attacker uses a list of compromised usernames and passwords from a previous data breach.

They then try to log in to a different website, hoping for a match.

Because many people use the same email and password combination for several websites, some of the combinations on the compromised list might work.

In Tesco's case, the supermarket giant told customers it believed that a compromised list of usernames and passwords had been used to try to gain access to its customers' accounts - and it may have worked in some cases.

It said no financial information was accessed, and it had restricted access to the accounts to prevent fraudulent use.

Jake Moore, cyber-security specialist at internet security firm Eset, said that Boots reminding their customers about the risk was a good move - but that password reuse is a "gigantic problem" in cyber-security.

"These lists of passwords can be easily found on the dark web for very little, or even free," he said.

"It would be a good idea for people to check they have implemented two factor authentication on each of their accounts as this makes the password stuffing attack that much harder."

"My further advice is to use a password manager to store your uniquely different passwords robustly online so you don't have to remember them all."

Boots said customers could reset their passwords online, and should choose a unique password not used on other sites.