Boots Suspends Advantage Card Payments After Cyber Attack – Experts Responds

It has been reported that Boots has suspended payments using loyalty points in shops and online after attempts to break into customers’ accounts using stolen passwords. Customers will not be able to use Boots Advantage Card points to pay for products while the issue is dealt with. Boots said none of its own systems were compromised, but attackers had tried to access accounts using reused passwords from other sites. A spokeswoman for Boots said the issue affected less than 1% of the company’s 14.4 million active Advantage Cards – fewer than 150,000 people. But it could not give an exact number as the company was still dealing with the problem.

Experts Comments

March 06, 2020
Barry McMahon
Senior Manager, Identity and Access Management
LastPass
The reality of cyber security is that most breaches result from human error, and one of the biggest ones is using weak and reused passwords on multiple websites and applications, which enables cyber criminals to gain access to systems that are in no other way linked. Boots customers are finding this out the hard way today as passwords they’ve used across multiple platforms, including their advantage card passwords have been hacked. Creating a stronger online security posture will only happen .....Read More
The reality of cyber security is that most breaches result from human error, and one of the biggest ones is using weak and reused passwords on multiple websites and applications, which enables cyber criminals to gain access to systems that are in no other way linked. Boots customers are finding this out the hard way today as passwords they’ve used across multiple platforms, including their advantage card passwords have been hacked. Creating a stronger online security posture will only happen with awareness – of the problem and the available tools to solve it. Everyone needs to understand that poor password hygiene, whether it’s failing to change a default password, password reuse or using weak credentials greatly increases the chances of being hacked. Once this is a commonly accepted fact, we will see greater adoption of tools like password managers that make creating and managing strong passwords easy and multi-factor authentication solutions becoming more mainstream.  Read Less
March 06, 2020
Jake Moore
Cybersecurity Specialist
ESET
In cases like this, criminals utilise a technique known as ‘password stuffing’, where simple tools allow them to use passwords that have been stolen in a previous hack or breach to access multiple different accounts. On the dark web, huge lists of leaked passwords are available at very little cost to bad actors, or sometimes even for free. Many consumers repeat the same two or three passwords across all of their different online accounts, which makes attacks like these even easier for.....Read More
In cases like this, criminals utilise a technique known as ‘password stuffing’, where simple tools allow them to use passwords that have been stolen in a previous hack or breach to access multiple different accounts. On the dark web, huge lists of leaked passwords are available at very little cost to bad actors, or sometimes even for free. Many consumers repeat the same two or three passwords across all of their different online accounts, which makes attacks like these even easier for criminals to carry out. Whilst it may be inconvenient to use a unique password for each of the logins you have, the benefits far outweigh the difficulties of keeping your data safe online. My advice would be to use a password manager, where you can store all of your individual, unique passwords robustly online, meaning that you don’t have to remember them yourself. Another way to make password stuffing attacks more difficult for cyber criminals is to make sure you have implemented two factor authentication on each of their accounts. This extra step of security is essential in protecting your online accounts.  Read Less
March 06, 2020
Robert Prigge
CEO
Jumio
Over the past 72 hours, Tesco Clubcards and Boots Advantage Cards have had nearly a million personal details compromised and/or stolen by hackers. These hackers have used the credentials and passwords they have stolen from different sites to access these loyalty accounts. But simply reissuing loyalty cards and asking users to change their passwords is not going to prevent the same from happening again. It’s time these businesses stop relying on the password to protect personal data, as.....Read More
Over the past 72 hours, Tesco Clubcards and Boots Advantage Cards have had nearly a million personal details compromised and/or stolen by hackers. These hackers have used the credentials and passwords they have stolen from different sites to access these loyalty accounts. But simply reissuing loyalty cards and asking users to change their passwords is not going to prevent the same from happening again. It’s time these businesses stop relying on the password to protect personal data, as passwords can be easily guessed and bypassed, and are also sold for pennies on the dark web as a result of prior data breaches. Biometric authentication is significantly more secure, reliable, and delivers a much higher level of assurance. Leveraging biometrics will protect the next generation of consumers while avoiding the same basic security pitfalls that are fuelling the fraud epidemic plaguing enterprises and consumers alike.  Read Less
March 06, 2020
Nicky Whiting
Head of Consultancy
Bulletproof
This attack really emphasises the need for users to be far more savvy about their passwords. The hackers simply used existing, known compromised accounts to access the information, knowing full well that a lot of people use the same password for all accounts. Users need to realise that if they want to protect their personal information, they need to take some responsibility and employ password best practices, e.g. separate passwords for each account, long passwords using three random words.
March 06, 2020
Sam Curry
Chief Security Officer
Cybereason
The Boots breach is yet another reminder of how it's become almost a reflex now for retailers to contact customers saying 'we regret to inform you that due to a breach, your personal data may have been....' The number of identity compromises by this point is huge, and yet life continues. For the consumer, they should be working under the assumption that their personal information has been compromised many times over. As an industry until we can start making cyber crime unprofitable for.....Read More
The Boots breach is yet another reminder of how it's become almost a reflex now for retailers to contact customers saying 'we regret to inform you that due to a breach, your personal data may have been....' The number of identity compromises by this point is huge, and yet life continues. For the consumer, they should be working under the assumption that their personal information has been compromised many times over. As an industry until we can start making cyber crime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive pay-outs. Fool me once, shame on you. Fool me twice, shame on me. Fool me ten times, enough is enough! It's time to really up the ante: minimise the extent of possible breaches and compromises, minimise exposure when breaches like this occur. Having customer data is a privilege, not a right. The time to beef up security is long past. Explanations for breaches of this sort in the retail industry demand a little more than a form letter and business as usual. If crime actors find a new way to compromise data, the numbers shouldn't be in the 10s of millions, and the stories of how it's done should be getting more sophisticated. If not, it's like hanging a sign outside saying "jobs wanted" by the fraudsters and that's not acceptable in 2020.  Read Less
March 06, 2020
Boris Cipot
Senior Sales Engineer
Synopsys
Reused passwords are almost as dangerous as weak passwords. Typically, we are under the impression that the only problem posed by passwords is when they are short and simple, making it easy to guess. This is definitely true and explains why we are often reminded to create ‘strong passwords’ requiring a mix of capital and small-case letters, a length of 10-20 characters as well as the inclusion of numbers and/or special characters. However, we are rarely aware that even the most complex.....Read More
Reused passwords are almost as dangerous as weak passwords. Typically, we are under the impression that the only problem posed by passwords is when they are short and simple, making it easy to guess. This is definitely true and explains why we are often reminded to create ‘strong passwords’ requiring a mix of capital and small-case letters, a length of 10-20 characters as well as the inclusion of numbers and/or special characters. However, we are rarely aware that even the most complex password is not enough if we reuse it across different accounts. Consider all the various app logins, web portal accesses and email client authentications that require a username and password. Most will admit that they are reusing their logins on all these services. This means that if an attacker is able to hack into the user database of a webpage that has low security, they could also obtain access to one’s bank account. This is exactly what attackers are banking on. Writing algorithms that tries logging into different services and checking for reused passwords is not a rarity. We read frequently about breaches of databases holding sensitive user information and the distribution of it, permitting bad actors from around the world free reign to do what they will with it. In fact, the attack on Boots is a clear example of this occurring. Nevertheless, it is good to see that Boots had recognised the attack and stopped it before it became a problem. This is a great example how things should work. Stopping the breach, preventing the service from being manipulated, and notifying the public on what has happened is the best line of action. I would also suggest that Boots takes it upon themselves to block the use of all existing passwords and make it mandatory for users to recreate new passwords that comply with all the necessary features to make it ‘strong’. While I understand the difficulty of creating various ‘strong’ passwords for each service used, one good way of overcoming this is through password managers. Password managers have the possibility to create and store different strong passwords for all your services, while you only remember one main password. You just need to be sure to use a password manager you can trust. Check which ones are recommended and where they come from. Keep in mind that not every app is a good app, and what is free is not always good.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.