Skip to main content

Customers purchase movie tickets at the Cineplex Scotiabank Theatre in Toronto in this file photo.

Matthew Sherwood/The Globe and Mail

After a series of fraud allegations across multiple Canadian rewards-points systems and a global cloud-service data leak, Cineplex Inc. "proactively" asked users with accounts on its website to change their passwords on Friday.

In an e-mail, a Cineplex spokesperson told The Globe and Mail that "we are aware of the data breaches that have been happening to other Canadian loyalty programs," and hoped to protect its users, such as those on its Scene loyalty program, by encouraging them to use best practices in digital security.

This comes after reports this month of rewards-point breaches by Loblaw Cos. Ltd., Canadian Tire Corp. and Quebec's SAQ liquor-store chain, and a global data breach revealed on Thursday by major cloud-services company Cloudflare Inc. The as-yet unconnected events illustrate the fragility of data security in an era where consumers are increasingly encouraged to sign up for proprietary rewards programs.

Story continues below advertisement

"I don't think there's any doubt that the stakes are getting higher in this area," said David Fraser, a technology and privacy lawyer with McInnes Cooper in Halifax. "Consumers don't have the technical skill or ability to go beyond the superficial appearances that their information is going to be protected. The onus really does turn onto the businesses, and onto the regulators, in order to make sure that the organizations do fulfill obligations," Mr. Fraser said.

Anne-Sophie Hamel, a spokesperson for the SAQ, told the Globe and Mail that customers started calling the chain at the start of February, and that 80 cases of potential fraud are being investigated. She said some customers complained of "phishing" – emails wrongfully purporting to be from the SAQ in order to get customers to send them their information.

Its Inspire program has 1.9 million members. The company is investigating the source of the problems, including whether or not there is a connection to other Canadian loyalty programs. "We are looking into all the different leads that we can," Ms. Hamel said.

The SAQ now asks for second IDs when customers spend points in stores, Ms. Hamel said, and has e-mailed members to suggest changing passwords to be both stronger and varied among different accounts.

"Even though you think the points are yours and nobody can use them, if [thieves] have your username and password, they can order themselves things," says Patrick Sojka, the Alberta rewards-program expert who founded RewardsCanada.ca. "It's no different than the password for your banking – you need to change them once in a while, and make them more secure."

Cineplex advised users to change passwords less than a day after Cloudflare announced its data breach. The leak, originally reported to Cloudflare by a Google security analyst on Feb. 17, was made public by the company Thursday. Cloudflare is a content-delivery network used by more than 5.5 million websites.

In a blog post late Thursday, the data company said that a tool that protects e-mail addresses from spammers was changed Feb. 13, and was the "primary cause" of the leaked data. It was purportedly stopped Feb. 18, but the company warned that search engines such as Google may have automatically cached some of the leaked information, making it available for theft.

Story continues below advertisement

"We wanted to ensure that this memory was scrubbed from search-engine caches before the public disclosure of the problem so that third parties would not be able to go hunting for sensitive information," the company wrote.

The company said that the data has since been purged with help from search engines.

Earlier this week, Loblaw told PC Plus members in an e-mail that the system had been the "target of fraud," leaving some members with stolen points.

The grocer said that "we believe the principal cause is passwords exposed through third party websites or weak passwords." It was not clear if this was related to the Cloudflare leak. The company did not immediately respond to a request for comment.

A sweeping list on software-developer website Github that purported to list all domains that used Cloudflare's domain-name system did not include Cineplex, Loblaw, Canadian Tire or the SAQ. Global News first reported this month that Canadian Tire customers had received e-mails informing them that an "unknown third party may have obtained" user login information. CBC News said last week that "about 15" SAQ loyalty-program members saw points disappearing.

Representatives from both Aimia, which runs Aeroplan, and Air Miles said in e-mails that they had not been affected by the Cloudflare breach.

Story continues below advertisement

Report an error Editorial code of conduct
Tickers mentioned in this story
Unchecking box will stop auto data updates
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.
Cannabis pro newsletter