Supermarket customers have been urged to change their passwords after a cybersecurity attack on New World’s loyalty programme meant some accounts may have been accessed by scammers.
Members of the New World Clubcard programme received an email late on Friday warning that scammers had attempted to gain access to accounts by trying commonly used passwords.
“Our technology team has identified suspicious external activity where scammers have attempted to gain access to accounts by trying commonly used passwords across many usernames,” the supermarket said.
“Based on our investigation, it appears that some New World Clubcard accounts with weaker or reused passwords may have been accessed, without the cardholder’s authorisation.”
Most customers were told their account was unaffected but that passwords should be changed “to be safe”.
New World’s own systems had not been breached, the supermarket said, with its technology team now monitoring for “any further malicious activity”.
The supermarket, owned by Foodstuffs, said it was working with cybersecurity experts to ensure customers’ data remained secure.
“We sincerely apologise for any inconvenience. Your privacy and security are extremely important to us, we have taken these actions to protect you, and strongly recommend you [establish] a refreshed and strong password.”
Foodstuffs North Island and Foodstuffs South Island told 1News the activity was consistent with a “password spraying attack” where common passwords or previously compromised passwords were tested on many accounts.
“We want to reassure our customers that Foodstuffs’ systems have not been breached or compromised in any way. The issue has arisen where some customers’ passwords have been successfully guessed by scammers using automated tools,” a spokesperson said.
“As a precaution, we have temporarily disabled the ability to redeem New World Dollars on affected Clubcard accounts and removed stored payment tokens linked to them.”
Personal credit card data was not compromised as Foodstuffs never stored full card numbers, they added.
