#Privacy: Boots suffers cyber attack

Capital One

The UK’s leading health and beauty retailer has suspended its Advantage Card payments following a cyber attack. 

The suspension follows after the company’s IT security team detected unusual activity on a number of Boots Advantage cards. Therefore, by halting payments using points it removed the risk of threat actors stealing the points and spending it themselves.

Boots has confirmed that none of its own systems were impacted, and the attack is said to have affected less than 1% (150,000) of the company’s 14.4 million active Advantage Card users. 

No credit card information had been accessed, Boots said. 

“We are writing to customers if we believe that their account has been affected, and if their Boots Advantage Card points have been used fraudulently we will, of course, replace them,” the company said in a statement.

“We would like to reassure our customers that these details were not obtained from Boots,” it added.

Oz Alashe, CEO of British cyber security awareness and analytics platform, CybSafe, explained that the cyber attack relied on “password stuffing”, whereby an attacker utilises a database of already compromised email addresses and passwords collected from a previous data breach, in order to gain access to an online account. 

“This is precisely the same technique which was recently employed against Tesco. Certainly, other retailers with an online presence could be in the firing line here,” said Alashe. 

“Our own data analysis at CybSafe suggests that approximately 1 in 10 Brits are using a password combination that has been compromised in a breach. That might not seem like such a big number, but when you scale this up to hundreds of thousands of accounts, this presents a very significant risk.

“Members of the public can check if they are using a breached password with the website haveibeenpwned. Besides this, we would recommend using two-factor authentication if possible, as well as a password manager. A password manager allows you to use different combinations across all of your accounts and means that you only need to memorise one master password.”

The news comes after the UK’s supermarket giant, Tesco had to issue over 600,000 Clubcards after becoming aware of fraudulent activity

It is believed that password stuffing was also used by the attackers targeting Tesco.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.