The Boots Advantage Card hack: What happened and who was affected?
The Boots Advantage Card hack: What happened and who was affected?
Many retailers offer reward schemes to their customers, allowing frequent purchasers to claim discounts and other benefits. This is obviously great for you as a customer, but it doesn’t come without certain risks. In order to amass these rewards, you’ll usually need to set up an account. And as with any system based around digital accounts, there is the potential for your information to be accessed by others – and even your rewards to be stolen! The Boots Advantage Card hack from March 2020 is a perfect example of these dangers.
In this post, we’ll explain how the Boots Advantage Card hack happened and who was affected. We’ll look at how it relates to other kinds of data breaches, and how you can protect yourself if your personal data is at risk. Finally, we’ll discuss how a data breach can in some cases entitle you to claim compensation.
The risks of a data breach
Data breaches are now a regular feature of the news cycle, and the numbers of people affected by breaches are often astronomical. In many respects, this is unsurprising. After all, most people now share their personal information with a wide range of organisations and companies in order to make use of their services.
This is particularly true for online retail. A World Economic Forum survey from June 2021 found that the use of smartphones for making purchases had more than doubled since 2018. Further, the report states that the COVID-19 pandemic has led to a “historic and dramatic shift in consumer behaviour” toward greater use of online retail.
In most cases, making purchases online entails sharing your personal information with the business you’re buying from. Your name and address for deliveries, your debit or credit card details to make payment, your date of birth if you’re buying age-restricted products… All of this is information you may be expected to share with the retailer – and which you would certainly not want to become widely available.
Hence, data protection is a growing concern. It’s important that we can be confident organisations and businesses are taking steps to protect the information we share with them. We should be certain that it is not being used for purposes other than the ones we intend, nor being exposed to people who are not authorised to access it.
Unfortunately, however, these expectations are not always met. And no matter how secure a particular company’s data protection measures are, there will always be ways to circumvent them.
The Boots Advantage Card hack
Even with traditional in-person retail, we increasingly find ourselves sharing personal information. As mentioned above, many retailers now operate digital reward schemes. In most cases, these require you to sign up for an account in order to begin collecting your rewards. This is used to tie the specific rewards you earn to your identity and prevent them from being accessed or stolen by others. These rewards can be earned and spent both in-store and online.
The background
The Boots Advantage Card scheme is a perfect example of such a rewards program. The scheme assigns you “points” for purchases in Boots shops or through their online store. These points can then be redeemed for discounts on future purchases.
In order to get an Advantage Card, however, you’ll need to register for an account with Boots. At the very least, you’ll need to provide an email address and a password. This can be linked to a physical card that you scan at the till, or with an app on your smartphone. This allows the points you earn to be linked to your account and accessed by you alone – or this is the idea, at least.
As with any digital account of this kind, however, there are risks. Ultimately, you are sharing information that is subsequently being stored by the company (or by a third party they contract for this purpose). While in principle this information is safeguarded, in practice there are always potential vulnerabilities.
The hack
In March 2020, Boots suspended payments using its Advantage Card scheme after attempts were made to break into customers’ accounts. According to a spokesperson for Boots, 150,000 customers were affected.
In fact, it was not a vulnerability in Boots’ security systems that were responsible for the Boots Advantage Card hack. The hackers who committed the attack had stolen a database of emails and passwords from a different website and then used these to try and access the Boots accounts. This is called “password stuffing”. As many people reuse email and password combinations across sites, this will often allow them to access a significant number of accounts on other websites.
This goes to show the challenges that companies face keeping your data safe in an online environment where the incentives for cybercriminals are high – and growing every day.
The consequences
According to Boots, the Advantage Card hack did not lead to the exposure of any sensitive customer data. They stated that no credit card information had been accessed, and the affected accounts were temporarily restricted to avoid reward points being stolen or used by the hackers.
However, this hack does reveal the dangers that we are exposed to when we share our data. Indeed, this hack is believed to have been carried out by the same group who used an identical method to hack Tesco Clubcards, affecting 620,000 customers.
These incidents demonstrate how even the exposure of limited amounts of data – an email and password combination for a single site – can potentially lead to substantial repercussions.
In this case, no financial information was exposed to the hackers, but it is not hard to imagine a different outcome.
Further, even with only an email, hackers can conduct elaborate “phishing” scams, posing as a trusted business to gain even more of your information.
There are, of course, steps you can take to help keep yourself safe. These include making sure you do not reuse passwords for multiple accounts and double-checking the veracity of emails you receive purporting to be from a trusted organisation. If you are contacted to say your data has been exposed, read our blog to find out the steps to take to keep yourself as safe as possible.
However, there is only so much you can do individually to protect your data. This is why it is so important that companies take all necessary steps to prevent unauthorised access to your information – even if this information isn’t sensitive in and of itself. Thankfully, there are regulations in place to make sure that this responsibility is taken seriously.
Data protection regulations: Know your rights
The key data protection regulations in the UK are the UK GDPR and the Data Protection Act 2018. These regulations codify in law the steps that any company or organisation must take to protect the personal information that it stores or processes.
At the core of these regulations is the idea that your personal data belongs to you. Thus, you have the right (certain exceptional cases aside) to decide who can access it, how it is used, and how long it can be retained for, among other things.
Companies that fail to meet the requirements of this legislation can be subject to substantial fines. Indeed, on 16th July 2021, Luxemburg’s data protection authority fined Amazon an astonishing £636 million for breaching GDPR rules. Amazon insists it will contest the fine, which it states is “without merit”.
The fine was not due, in this case, to the exposure of customers’ data to a third party. Rather, it was related to the unauthorised use of this data to target customers with advertisements.
As this shows, it is not simply a question of protecting your data from cybercriminals. It is about making sure you are in control of your data and how it is used. This indicates just how seriously GDPR takes your rights over your personal data.
The impact of a data breach
There is another aspect of the GDPR that displays the seriousness with which it takes the protection of your personal data. The GDPR gives you the right to claim compensation from any organisation that has failed to protect your data, particularly if this failure has had a damaging impact on you.
After all, the damages resulting from a data breach can be far-reaching and their implications long-lasting. They can include:
- Financial losses
- Reputational damage
- Emotional distress
- Loss of control
Of course, we can all clearly anticipate the possible financial impact of a data breach. Cybercriminals getting access to your bank details can obviously lead to major issues. But it’s important to remember that the emotional and psychological consequences can be just as severe. Losing control of your personal data can lead to anxiety, loss of sleep, and a range of other effects on your mental and physical health.
If your data has been exposed in a data breach, it’s important to consider the possibility of seeking compensation. This is particularly so if you have suffered some specific damages as a result of the breach, including any emotional distress.
Claiming compensation for a data breach
In order to seek compensation for a data breach, you’ll need to take the organisation in question to court. It’s vital that you get legal advice before doing so, ideally from solicitors experienced with data breach cases.
Here at HNK, we’ve helped many of our clients claim compensation for the effects of a data breach. With a detailed understanding of the regulations involved – as well as the damage that the exposure of personal data can cause – we can help you understand if you might be entitled to compensation. If we do think you have a valid claim, we can offer to take it up on a no-win, no-fee basis.
So, if you have had your personal data exposed in a data breach, get in touch today and find out how we can help you. Simply fill out the form on our website to request a callback. Alternatively, call us on 0151 203 1104 or email us at enquiries@hnksolicitors.com.