Fraudsters attacked the loyalty program of Canadian entertainment and movie company Cineplex, the company said in a statement. The attack stole loyalty points from customer accounts, although it remains unclear exactly how fraudsters used them. Cineplex temporarily shut down the popular program in order to protect program participants. It is just one in an increasing trend of fraudsters using Account Takeover Fraud techniques to gain access to customer loyalty point accounts.
SCENE Card, which runs the program and issues its account numbers, released a statement to Twitter telling customers that they would be reimbursed for any movie ticket purchases they incurred while the program was shut down:
“Some of our members are experiencing issues with their SCENE accounts.” Your points are secure, and we’re working to resolve it. Reach out to us at https://t.co/O1nFlISa0O if you’re having issues. If you were unable to redeem points for a free movie today, please include a receipt,” the tweet said.
In addition, Cloudflare, the data company that stores the program’s information, also released a statement stating that an anti-spam tool was the source of the vulnerability that allowed for the hack. It further revealed that the vulnerability was closed on February 18th, 2019, and that all leaked information that had been cached by search engines had been removed.
“We wanted to ensure that this memory was scrubbed from search-engine caches before the public disclosure of the problem so that third parties would not be able to go hunting for sensitive information,” the company said in a statement.
The disruption caused widespread outrage among consumers, who found themselves locked out of their accounts. In comments to Canadian news outlet CTVnews.ca, many criticized the company both for not protecting their data better, as well as allowing this specific attack to escalate to the point that customer accounts needed to be suspended. In addition, they expressed frustration that while some customers will receive entirely new SCENE card numbers and barcodes, Cineplex’s oly advice to those who do not was to change their passwords.