London family says their PC Optimum points were stolen and used in another province - Action News
Home WebMail Saturday, November 23, 2024, 12:43 AM | Calgary | -11.5°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
London

London family says their PC Optimum points were stolen and used in another province

A London family says someone hacked into their PC Optimum account and redeemed their points at a Quebec PharmaPrix. Western University law professor Samuel Trosow says he'd be surprised if they were the only ones this had happened to.

A Western University law professor says customers need to demand stronger privacy standards

A loyalty card with the words PC Optimum on the front is seen close-up in a person's hand. The aisle of a retail store is seen in the background.
Mike and Heather Prangley say they've since gotten their points back, but wonder if the same situation might be happening to other people. (CBC)

A London couple was left rattled after they say they had more than 300,000 PC Optimum points stolen and redeemed at a Quebec PharmaPrix.

Mike and Heather Prangleysay it was a long road to getting those points back.

Mike Prangley says he logged onto his PC Optimum account in February and found that more than 300,000 points were missing and that his name had been changed. (Submitted)

Mike Prangleysaid he checkedhis PC Optimum app on February 24, and noticed that he was missing several hundred thousand points, and that his first name had been replacedon the accountwith someone else's.

"It said that the night before I had redeemed 310,000 points at the Shoppers equivalent in Quebec. I was not in Quebec the night before,and obviously someone [had] stolen these points off of our card," said Prangley.

Prangley said he called the PharmaPrixowner, who was able to confirmthe date and time that the points were redeemed.

"She said it seemed really suspiciouswhat he was doing, but there's no check and balance on the PC card," said Prangley."It's just if you've got the balance on your PC Card you can just go in and use it; you don't have to show any ID or any proof."

Although Prangley said he was able to quickly find out where his points had gone, it was more difficult to get them back.

Heather Prangleysaid the couple contacted PC Optimum's customer service '9 or 10' different waysto try to rectify the situation,including calls, tweets, e-mails and instant messages.

All in all, it took more than two weeks for them to get a response from someone who was able to reset the points balance, she said.

Loblawsresponse

Loblaws says they take any sign of unusual activity very seriously. (Ryan Remiorz/Canadian Press)

CBC News reached out to Loblawspublic relations to find out what had happened to the points, how many times these privacy breaches have occurred and what safeguards Loblaws puts in place to guard customer data.

The day that CBCsent a follow-up email signalling that we would soon be publishingthe story, Heather Prangley said shegot a phone call from a customer service rep who put the points back on her account within approximately '40 seconds.'

The customer service rep was not able to say how the family's card was compromised, but offered a bonus 25,000 points as a goodwill gesture, Prangley said.

In an email statement, Loblaws PR said that the privacy and security of customer accounts is very important to the company, and they had reached out to the family to reinstate their point balance.

"We have strong security measures in place across our digital platforms and take any sign of unusual activity very seriously," the company said in anemail.

LoblawsPR has not yet responded to further questions about how often these privacybreaches happen.

Western prof: Privacy law too vague

Law professor Sam Trosow says privacy laws require companies to have 'adequate safeguards' for customer information, but don't go into much detail about what 'adequate' means. (PC Optimum)

Western University law professor Sam Trosow said he would be very surprised if the Prangleys' situation was 'a one-off thing.'

"If this hacker in Quebec is able to access their information, there's probably a weakness in their system that's allowing other people to do it as well," said Trosow, who urged PC Optimum customers to check their balances and report any unusual activity.

Trosowsaid companies thatdeal with large quantities of customer information have an obligation to use adequate safeguards, but that existingprivacy laws don't go into much detail about what those safeguards should look like.

"Unfortunatelyand I think this is where the law needs to be strengthened a bitthere's no standard," he said.

"It just says 'adequacy,'so typically the terms of servicesay something along the lines of 'your privacy is very important to us,' but they don't go into any detailabout what system they're using."

Recommended privacy solutions

Trosow said he'd like to see stronger laws that define exactly what companies' privacy obligations are and require companiesto publicly acknowledge data breaches as soon as they happen.

Another solution could be to havean independent third partyperform privacy audits for companies and report back to the public on whether standards are being met, Trosow said.

In the meantime, he said consumers also have a role to play in demanding greater security standards from their digital products.

For their part, thePrangleys say that they have no hard feelings for Loblaws, but hope that the company will let customers know if these types ofprivacy breaches are a recurring problem.

"It's a free benefit, so it wasn't exactly life-altering," said Heather Prangley.

"But from a privacy issue... If there's flaws in the system then they need to come clean about it. If the person who redeemed our points is reflective of a larger issue, then people should know that."