London family says their PC Optimum points were stolen and used in another province

A London family says someone hacked into their PC Optimum account and redeemed their points at a Quebec PharmaPrix. Western University law professor Samuel Trosow says he'd be surprised if they were the only ones this had happened to.

A Western University law professor says customers need to demand stronger privacy standards

Mike and Heather Prangley say they've since gotten their points back, but wonder if the same situation might be happening to other people. (CBC)

A London couple was left rattled after they say they had more than 300,000 PC Optimum points stolen and redeemed at a Quebec PharmaPrix. 

Mike and Heather Prangley say it was a long road to getting those points back.

Mike Prangley says he logged onto his PC Optimum account in February and found that more than 300,000 points were missing and that his name had been changed. (Submitted)

Mike Prangley said he checked his PC Optimum app on February 24, and noticed that he was missing several hundred thousand points, and that his first name had been replaced on the account with someone else's.

"It said that the night before I had redeemed 310,000 points at the Shoppers equivalent in Quebec. I was not in Quebec the night before, and obviously someone [had] stolen these points off of our card," said Prangley. 

Prangley said he called the PharmaPrix owner, who was able to confirm the date and time that the points were redeemed.

"She said it seemed really suspicious what he was doing, but there's no check and balance on the PC card," said Prangley. "It's just if you've got the balance on your PC Card you can just go in and use it; you don't have to show any ID or any proof."

Although Prangley said he was able to quickly find out where his points had gone, it was more difficult to get them back.

Heather Prangley said the couple contacted PC Optimum's customer service '9 or 10' different ways to try to rectify the situation, including calls, tweets, e-mails and instant messages.

All in all, it took more than two weeks for them to get a response from someone who was able to reset the points balance, she said.

Loblaws response

Loblaws says they take any sign of unusual activity very seriously. (Ryan Remiorz/Canadian Press)

CBC News reached out to Loblaws public relations to find out what had happened to the points, how many times these privacy breaches have occurred and what safeguards Loblaws puts in place to guard customer data.

The day that CBC sent a follow-up email signalling that we would soon be publishing the story, Heather Prangley said she got a phone call from a customer service rep who put the points back on her account within approximately '40 seconds.'

The customer service rep was not able to say how the family's card was compromised, but offered a bonus 25,000 points as a goodwill gesture, Prangley said.

In an email statement, Loblaws PR said that the privacy and security of customer accounts is very important to the company, and they had reached out to the family to reinstate their point balance.

"We have strong security measures in place across our digital platforms and take any sign of unusual activity very seriously," the company said in an email.

Loblaws PR has not yet responded to further questions about how often these privacy breaches happen.

Western prof: Privacy law too vague

Law professor Sam Trosow says privacy laws require companies to have 'adequate safeguards' for customer information, but don't go into much detail about what 'adequate' means. (PC Optimum)

Western University law professor Sam Trosow said he would be very surprised if the Prangleys' situation was 'a one-off thing.'

"If this hacker in Quebec is able to access their information, there's probably a weakness in their system that's allowing other people to do it as well," said Trosow, who urged PC Optimum customers to check their balances and report any unusual activity.

Trosow said companies that deal with large quantities of customer information have an obligation to use adequate safeguards, but that existing privacy laws don't go into much detail about what those safeguards should look like.

"Unfortunately—and I think this is where the law needs to be strengthened a bit—there's no standard," he said. 

"It just says 'adequacy,' so typically the terms of service say something along the lines of 'your privacy is very important to us,' but they don't go into any detail about what system they're using." 

Recommended privacy solutions

Trosow said he'd like to see stronger laws that define exactly what companies' privacy obligations are and require companies to publicly acknowledge data breaches as soon as they happen.

Another solution could be to have an independent third party perform privacy audits for companies and report back to the public on whether standards are being met, Trosow said. 

In the meantime, he said consumers also have a role to play in demanding greater security standards from their digital products.

For their part, the Prangleys say that they have no hard feelings for Loblaws, but hope that the company will let customers know if these types of privacy breaches are a recurring problem.

"It's a free benefit, so it wasn't exactly life-altering," said Heather Prangley. 

"But from a privacy issue... If there's flaws in the system then they need to come clean about it. If the person who redeemed our points is reflective of a larger issue, then people should know that."