After a series of fraud allegations across multiple Canadian rewards-points systems and a global cloud-service data leak, Cineplex Inc. "proactively" asked users with accounts on its website to change their passwords on Friday.
In an e-mail, a Cineplex spokesperson told The Globe and Mail that "we are aware of the data breaches that have been happening to other Canadian loyalty programs," and hoped to protect its users, such as those on its Scene loyalty program, by encouraging them to use best practices in digital security.
This comes after reports this month of rewards-point breaches by Loblaw Cos. Ltd., Canadian Tire Corp. and Quebec's SAQ liquor-store chain, and a global data breach revealed on Thursday by major cloud-services company Cloudflare Inc. The as-yet unconnected events illustrate the fragility of data security in an era where consumers are increasingly encouraged to sign up for proprietary rewards programs.
"I don't think there's any doubt that the stakes are getting higher in this area," said David Fraser, a technology and privacy lawyer with McInnes Cooper in Halifax. "Consumers don't have the technical skill or ability to go beyond the superficial appearances that their information is going to be protected. The onus really does turn onto the businesses, and onto the regulators, in order to make sure that the organizations do fulfill obligations," Mr. Fraser said.
Anne-Sophie Hamel, a spokesperson for the SAQ, told the Globe and Mail that customers started calling the chain at the start of February, and that 80 cases of potential fraud are being investigated. She said some customers complained of "phishing" – emails wrongfully purporting to be from the SAQ in order to get customers to send them their information.
Its Inspire program has 1.9 million members. The company is investigating the source of the problems, including whether or not there is a connection to other Canadian loyalty programs. "We are looking into all the different leads that we can," Ms. Hamel said.
The SAQ now asks for second IDs when customers spend points in stores, Ms. Hamel said, and has e-mailed members to suggest changing passwords to be both stronger and varied among different accounts.
"Even though you think the points are yours and nobody can use them, if [thieves] have your username and password, they can order themselves things," says Patrick Sojka, the Alberta rewards-program expert who founded RewardsCanada.ca. "It's no different than the password for your banking – you need to change them once in a while, and make them more secure."
Cineplex advised users to change passwords less than a day after Cloudflare announced its data breach. The leak, originally reported to Cloudflare by a Google security analyst on Feb. 17, was made public by the company Thursday. Cloudflare is a content-delivery network used by more than 5.5 million websites.
In a blog post late Thursday, the data company said that a tool that protects e-mail addresses from spammers was changed Feb. 13, and was the "primary cause" of the leaked data. It was purportedly stopped Feb. 18, but the company warned that search engines such as Google may have automatically cached some of the leaked information, making it available for theft.
"We wanted to ensure that this memory was scrubbed from search-engine caches before the public disclosure of the problem so that third parties would not be able to go hunting for sensitive information," the company wrote.
The company said that the data has since been purged with help from search engines.
Earlier this week, Loblaw told PC Plus members in an e-mail that the system had been the "target of fraud," leaving some members with stolen points.
The grocer said that "we believe the principal cause is passwords exposed through third party websites or weak passwords." It was not clear if this was related to the Cloudflare leak. The company did not immediately respond to a request for comment.
A sweeping list on software-developer website Github that purported to list all domains that used Cloudflare's domain-name system did not include Cineplex, Loblaw, Canadian Tire or the SAQ. Global News first reported this month that Canadian Tire customers had received e-mails informing them that an "unknown third party may have obtained" user login information. CBC News said last week that "about 15" SAQ loyalty-program members saw points disappearing.
Representatives from both Aimia, which runs Aeroplan, and Air Miles said in e-mails that they had not been affected by the Cloudflare breach.