PC Optimum member hit by theft a 3rd time after Loblaws says password problem fixed
Retailer says program's password reset problem has been 'locked down'
After getting hit by points theft multiple times, some PC Optimum members are questioning a fix Loblaws says it has made to improve the security of its rewards program.
"I do not believe they have fixed anything," said Shawn Nicholson in Halifax. On Wednesday, a thief infiltrated his PC Optimum online account for the third time in less than a month, this time stealing 150,000 points — worth $150.
"I'm beyond the point of frustration," he said.
CBC News previously interviewed Nicholson on April 9, after he was hit by points theft a second time, despite reporting his case and beefing up his password.
At the time, Loblaws said it was working to fix a glitch in the program's system that allowed a thief to stay in a member's online account, even after the initial theft was discovered and password reset. By April 13, Loblaws said it had resolved the problem.
However, five days later on April 18, Nicholson's thief struck a third time, spending most of his points at the same location as before — a Loblaws-owned Maxi store near Montreal.
"I have zero confidence in the security of my account," he said.
Is it fixed?
CBC News contacted Loblaws about Nicholson's third theft. The retailer said that the underlying problem with the password resets has been "locked down," but that addressing all the thefts will take time.
"The issue has been identified and resolved, but involves a manual process at our end, once we've been in contact with the customer," said spokesperson Catherine Thomas in an email.
Nicholson says Loblaws did contact him last week and returned his 140,000 points from the first two thefts.
"I thought everything was resolved and fine," he said.
But following the third theft, Nicholson says he'll only feel safe once PC Optimum deletes his account and sets him up with a new one.
<a href="https://twitter.com/hashtag/Loblaws?src=hash&ref_src=twsrc%5Etfw">#Loblaws</a> - Someone stole my PCOptimum points (over $800 worth) more than a month ago. I've been calling Loblaws and sent messages via Twitter. No one seems to care. Will be cancelling my PCMastercard soon.—@ancel_troskie
Just had ANOTHER 30,000 points stolen from my <a href="https://twitter.com/pc_optimum?ref_src=twsrc%5Etfw">@pc_optimum</a> account, after changing password, etc last week! Fix this, <a href="https://twitter.com/ShopprsDrugMart?ref_src=twsrc%5Etfw">@ShopprsDrugMart</a> & <a href="https://twitter.com/LoblawsON?ref_src=twsrc%5Etfw">@LoblawsON</a>!! <a href="https://twitter.com/CBCNews?ref_src=twsrc%5Etfw">@CBCNews</a> <a href="https://twitter.com/sophiaharrisCBC?ref_src=twsrc%5Etfw">@sophiaharrisCBC</a>—@BrettPolegato
Since Loblaws launched its new PC Optimum rewards program on Feb. 1, CBC News has heard from more than 50 members complaining of points theft and sometimes long waits to get their issues addressed.
The retailer said the PC Optimum program is secure, members' information is safe and that stolen points will be restored.
But following repeat thefts, some members question if Loblaws is doing enough.
"The system is far too vulnerable," said PC Optimum member Joel Du Broy in Ottawa.
Police on the case
According to his account records, on April 12 someone spent a whopping 1.6 million of Du Broy's points — worth $1,600 — mainly at Loblaws-owned Pharmaprix stores in Montreal.
"I was really upset," he said. "It's a bit hard to sleep at night when you have that amount of money missing."
On April 13 — the day Loblaws confirmed it had resolved its password reset problem — Du Broy says he reported the theft, and a PC Optimum agent told him to change his password. He says he did, along with changing the email address associated with his account.
The next day, however, another 350,000 points went missing from his account, spent at one of the same Pharmaprix stores.
Du Broy says he actually saw the points disappear from his account in real time while discussing the initial theft with PC Optimum.
"I was on the phone with customer service as I was being looted," he said. "My jaw just dropped."
In order to prevent future points thefts, he believes Loblaws should implement tougher security measures such as a two-step verification process when members spend more than $100 worth of points in a store, and when someone new joins a member's account.
PC Optimum offers the joining feature for members who want to pool their points, such as families.
"That's non-negotiable," said Du Broy who noticed that a stranger had linked their own PC Optimum card to his account at the time his points went missing.
"If somebody wants to add a household card to my account, I certainly better approve it."
For at least a week now, PC Optimum's "pool your points as a household" feature has been temporarily disabled.
Loblaws did not say whether this move is connected to the rash of thefts.
After CBC News contacted Loblaws, Du Broy got his stolen points back. He has set up a new PC Optimum account, convinced that's the only way he can protect himself from future theft.