Hackers appear to have stolen from Woolworths customers by accessing their rewards cards through a flaw in the app.
Customers took to OzBargain to complain their points were stolen remotely, news.com.au reported.
“My new Woolworths Rewards card has been hacked, points already used in other state,” a customer wrote on OzBargain.
“Applied [for] the card last month with 5,000 points bonus. I received the card today, login, and found the points were used in other state two weeks ago.”
Other users said they had also been stripped of points before receiving their cards.
“Very odd, had one delivered to an address in Parkes NSW, and when I went to use it, the rewards were gone, looked online and someone in The Ponds near Blacktown NSW had redeemed them first. What in the world,” one said.
“Same here. Transaction showed $20 was redeemed at Hurstville with no purchase on 14 July, and then some groceries purchased on 15 July at Parramatta. Looks like a breach on the IT system to me,” said another.
One user was overseas when their card was accessed in Northland, in Melbourne’s north.
The Woolworths app allows anyone to enter a legitimate card number and view the balance on the rewards account without a password. The account’s barcode could then be generated in another rewards app, and be scanned at the checkout to claim the points.
A customer speculated someone could have ordered several rewards cards, identified a pattern in the numbers to predict other people’s legitimate card numbers.
The breach appears to be affecting new cards issued with a promotion offered 5,000 introductory points for new members.
Woolworths confirmed it was investigating the complaints, but denied there was a flaw in its app.
“We work hard to ensure our customers’ shopping experience is efficient, seamless and importantly, safe and secure,” a spokesperson told The New Daily.
The spokesperson said Woolworths was monitoring customer feedback.
“Although our investigation shows there is no issue with the functionality and security of the app — we are reviewing how the app experience can be better improved to provide further assurances for customers.
“We take our obligations in relation to customer data very seriously, and have robust controls in place to ensure customer expectations of privacy and security are met.
“We have a continuous program of security enhancements and our apps are constantly reviewed for any improvements in functionality and security.”
Affected customers can contact Woolworths on 1300 767 969.