PC Optimum members get hit by points theft twice. Loblaws blames password glitch
Even after changing password, people had more points stolen from their account
Thieves continue to steal hundreds of thousands of PC Optimum rewards points, and some members have had the misfortune of being hit twice.
The reason? A glitch in the program's system allowed a thief to stay in a member's online account even after the initial theft was discovered and the password reset.
"How secure is their program?" said William Grobe of Kitchener, Ont., who recently got hit by theft a second time, after beefing up his password. He had 250,000 points stolen in total. "It feels like someone's in [my account] in spite of any security."
After being contacted by CBC News on Monday, PC Optimum's owner, Loblaws, said it was fixing the password reset glitch, and reported on Friday that the problem had been resolved. The retailer said only "a very small number" of its nine million members had been negatively affected.
Since launching on Feb. 1, the PC Optimum rewards program has battled a handful of technical issues, including strangers' accounts being combined together and members' points disappearing into cyberspace.
Technical glitches aren't the program's only problems. More than 40 PC Optimum members have complained to CBC News that they've had points stolen, ranging from $120 to $1,160 in value.
Loblaws has advised members to protect themselves by creating strong, unique passwords. But that didn't quite work out for Grobe in Kitchener.
According to his account records, on March 23, a thief stole 240,000 points — worth $240 — and spent them at two Loblaws Pharmaprix drugstores in Montreal.
Grobe says he alerted PC Optimum and created a stronger password. But the thief struck again just two days later, this time spending 10,000 of his points at one of the same stores.
"You feel a bit violated," said Grobe. "If I get my points back, how do I know they're not going to be stolen again?"
Just had my <a href="https://twitter.com/pc_optimum?ref_src=twsrc%5Etfw">@pc_optimum</a> points stolen AGAIN! $540 worth! By someone going on a shopping spree in Brampton AGAIN! Get your act together <a href="https://twitter.com/pc_optimum?ref_src=twsrc%5Etfw">@pc_optimum</a>! 😡—@BX93Rachel
According to Shawn Nicholson's records, someone hacked his account and stole 60,000 points — worth $60. The thief spent them on March 24 and 26 at a Loblaws Maxi grocery store near Montreal. Nicholson lives in Halifax.
By March 28, PC Optimum had returned Nicholson's points and advised him to secure his account by changing his password.
He did just that and thought his troubles were over. However, days later, the thief struck again, stealing 80,000 points this time, and spending them at the same Maxi store.
"I was really confused," said Nicholson.
He changed his password once again. When he reloaded the PC Optimum app on his phone, he noticed something strange: he was able to access his account and virtual PC Optimum card without having to enter the new password.
"I was quite shocked," Nicholson said, believing that was how the thief struck again so quickly. "If someone had gained access or breached the account previously, a change of password wouldn't make a difference."
Loblaws spokesperson Kevin Groh acknowledged the password reset glitch has caused "inconvenience and concern" for some members.
"Their personal information is safe and every last point will be restored," he wrote in an email.
After being contacted by CBC News, Loblaws called both Grobe and Nicholson and returned their stolen points.
Nicholson is pleased Loblaws fixed the password reset problem, but he's still concerned about thieves infiltrating accounts in the first place and stealing points.
"I can't say my faith is completely restored," he said. "How did they gain access? Was there a data breach of some sort?"
Just had 60,000 points stolen from my <a href="https://twitter.com/pc_optimum?ref_src=twsrc%5Etfw">@pc_optimum</a> account and my account info changed. Looks like <a href="https://twitter.com/LoblawsON?ref_src=twsrc%5Etfw">@LoblawsON</a> & <a href="https://twitter.com/ShopprsDrugMart?ref_src=twsrc%5Etfw">@ShopprsDrugMart</a> still haven’t fixed things! <a href="https://twitter.com/CBCNews?ref_src=twsrc%5Etfw">@CBCNews</a>—@BrettPolegato
My <a href="https://twitter.com/pc_optimum?ref_src=twsrc%5Etfw">@pc_optimum</a> was hacked. Would really like my 80,000 points back.....—@Dorothydawn76
Industry experts say the thieves could be initially infiltrating accounts due to members creating weak passwords. Loblaws didn't comment on the cause, but the retailer did say the PC Optimum program is very secure and it continues to add new safeguards.
Meanwhile, CBC News continues to receive theft reports. The most recent cases include Carolyn Lampshire in Kenora, Ont. This past week, a thief stole 240,000 of her points and spent them at a Pharmaprix in Drummondville, Que.
On March 31 and April 7, a thief stole a total of 220,000 points from Nicole Caputo's account and spent them at Maxi stores in Montreal. Caputo lives in Sault Ste. Marie, Ont.
"It's so creepy," she said. "It's just crazy to think someone could actually get into [my account] and use it no problem."