Mon-Thu 09:00-18:00 | Fri 09:00-17:00

Boots advantage card cyber-attack affects 150,000 customers


Photograph of shopping assistant talking to a customer about makeup in front of makeup stand


Boots, the worldwide health and beauty retailer, and pharmacy chain has suspended payments using Advantage Card points in shops and online after a cyber-attack. After they noticed ‘unusual’ activity on a number of loyalty card accounts, Boots have announced that customers will not be able to use their Advantage Card points to pay for any products whilst the issue is dealt with.

Boots insist that none of its own systems were compromised, but attackers have attempted to access accounts using reused passwords from other sites. This is known as ‘password stuffing’.

A spokesperson for Boots told the BBC “The issue affected less than 1% of the company’s 14.4 million active Advantage Card users – this is fewer than 150,000 people.” The company is still dealing with the problem so it could not give an exact number.

They went on to say that no credit card information had been accessed and that suspending payments using points removed the risk of hackers stealing the points to spend themselves.


Photograph of female customer handing over loyalty card to woman behind cash register


In a statement, Boots said “Our customers’ safety and security online are very important to us. We can confirm we are writing to customers if we believe that their account has been affected, and if their Boots Advantage Card points have been used fraudulently, we will, of course, replace them. We would like to reassure our customers that these details were not obtained from Boots.”

In the meantime, when making purchases in Boots, customers can still earn points but they cannot pay using them. Boots hopes to have advantage card payments back up and working again as soon as possible. After the boots cyber-attack, the company has also advised that customers reset their passwords online, and should choose a unique password not used before on other websites.

Just days before, Tesco announced a similar issue had occurred with 600,000 of its Tesco Clubcard users in another password stuffing attempt.


What is ‘password stuffing’?

“Password stuffing” is when an attacker uses information from another data breach such as compromised usernames and passwords then tries to log into different websites using this information, hoping to be able to gain access.
This is such a huge issue because many people use the same email address and password combination for multiple websites. Therefore, when their data is breached from one website, it could be used to gain access to other accounts on other websites.

Tesco has informed customers that they believed an attacker had used a compromised list of usernames and passwords to try and gain access to its customers’ accounts and that in some cases it worked. The supermarket also added that no financial information was obtained and it had restricted access to the accounts affected.



Close up of a password entry box on a website


Password reusing is a big issue in cyber-security. Once your data has been breached these lists of passwords and usernames can be easily found by others and used to access other accounts. If possible, you should use two-factor authentications on your accounts to make a password stuffing attempt much harder. Also, it is advised you use a unique password for each account and use a password manager to store your passwords safely so you don’t have to remember them all.

Claiming compensation for a Data Protection Breach

Even though you cannot make a claim against Boots for this cyber-attack, as the customer data was not breached through them if you were affected it means your data was breached elsewhere. This means that another company has not securely held your data and has, therefore, put your personal information at risk. If you have fallen victim to a data protection breach, you could be entitled to claim compensation.

Data protection breaches can cause emotional and financial suffering to those affected and claiming compensation can help you to recover any losses that may have come because of the breach. Under GDPR, by law, any public bodies or private companies that collect a significant amount of sensitive information about people have to store this data responsibly and can be prosecuted if they do not do so.


Woman sat at her laptop which displays an alert for a recent data breach


HNK Solicitors are experts in Data Protection Claims

If you have been the victim of a data breach contact HNK Solicitors. We are specialists in pursuing claims for data protection breaches. We are currently handling several data protection claims for high profile data breaches such as the recent British Airways data breaches where hundreds of thousands of customers personal information and financial details were compromised.

When claims are made against large corporations or companies, we start a group litigation case. This is where a group of people affected by the same issue collectively bring their cases to court against the Defendant. This helps to strengthen their overall position and increase the chances of a settlement of success in litigation. We currently have group litigation cases against several companies including British Airways and Dixons Carphone. If you have been affected by any of these data breaches, contact us today to find out if you can join our group litigation claim.

To find out more about pursuing a claim for a data protection breach, visit our Data Protection Claims page. Alternatively, call us on 0151 203 1104 or email us at enquiries@hnksolicitors.com.

Related Posts

Get in touch

Fill out the below form and one of our advisors will get in touch to arrange a consultation about your claim.

Recent Articles

Policeman and police motorcycle behind cordon tape at an accident or crime scene
Can I claim against the police?
March 22, 2024
Image of a person's legs lying on the floor next to a car. Car accident concept image.
HNK recover £99,700 for claimant injured during an attempted robbery on his vehicle
March 7, 2024
Photograph of two British transport police officers stood inside a train station.
Kent Police officer jailed for six months for inappropriate relationship with suspect
March 7, 2024
Call Us Claim Now