February 9, 2017 7:58 am
Updated: February 9, 2017 8:19 am

PC Plus points stolen from customer accounts in security breach

A Loblaws store in Toronto is shown on Thursday May 2, 2013. Loblaw is warning PC Plus rewards collectors to beef up their passwords after points were stolen from some members' accounts. THE CANADIAN PRESS/Aaron Vincent Elkaim

The Canadian Press/Aaron Vincent Elkaim

TORONTO – Loblaw is warning PC Plus rewards collectors to beef up their passwords after points were stolen from some members’ accounts.

“We are treating this as a breach as individual member accounts were accessed and points were stolen,” said Kevin Groh, the company’s vice-president of corporate affairs and communication, in a statement.

Story continues below

READ MORE: Canadian Tire website breached, consumer accounts in question

Meanwhile, Global News reported Tuesday that Canadian Tire shut down customer access to online accounts this week in the interests of protecting their personal information.

“We recently noticed unusual traffic on our website and suspended customer sign-in capabilities while we investigate,” communications manager Stephanie Nadalin told Global, which said it had been alerted to the problem by an unnamed Canadian Tire customer.

WATCH: One of Canada’s largest in-store and online retailers has acknowledged it suffered a security breach forcing it to prevent customers from checking their points and credit card accounts. Sean O’Shea reports.

Those trying to access their points and credit card information on their computers instead saw a message saying that the sign-in option was “temporarily unavailable” and the company was working on the problem.

Groh said the Loblaw breach stems from people using favourite or weak username and password combinations across multiple sites.

READ MORE: Top 5 security tips to protect your credit card when shopping online

These combinations were stolen from other sites and used to access PC Plus accounts, according to Groh.

In an email to PC Plus members sent late last month, Loblaw (TSX:L) pointed to sites like Yahoo and LinkedIn, which were both hacked in recent years.

A warning message seen on the PC Plus website on Thursday.

Last year, LinkedIn said a 2012 security breach compromised more than 100 million user passwords. It was previously believed only 6.5 million passwords were implicated.

Also last year, Yahoo said the personal information of more than one billion of its users was stolen during a 2013 breach.

Loblaw said the company is unable to disclose how many accounts lost points as the company is continuing to work with any members whose points were taken to reinstate them.

The company emailed all PC Plus members late last month, urging them to update their passwords. It asked members to create unique passwords that are a combination of letters, numbers and characters, and to change them frequently.

READ MORE: How to avoid the biggest security mistakes when buying online

Loblaw also notified law enforcement, Groh said.

Groh said Loblaw’s IT security team is monitoring unusual activity and is investigating any possibility of underlying IT vulnerabilities.

Tips for creating secure passwords

Loblaw is urging customers to change their passwords to be more secure in light of the security breach. Here are some tips to create a secure, hard-to-guess password:

Stay away from easy-to-guess passwords like “123456″ or “password” as well as easy to guess identifiers, like your dog’s name.

Numbers included in a password should never be something easy to guess based on the user. That means your age, the current year, or your address are not good choices. Similarly, the longer the password the better.

READ MORE: How to protect yourself from security breaches on social media sites

Passwords that use up to 10 uppercase and lowercase letters mixed with numbers are proven to be more secure – despite being hard to remember.

One tip is to construct a password from a sentence, mix in a few uppercase letters and a number – for example, “There is no place like home,” would become “tiNOplh62.”

And remember, try not to use the same password for any two accounts.

– With files from Global News reporter Nicole Bogart

© 2017 The Canadian Press

Report an error


Want to discuss? Please read our Commenting Policy first.