Iceland freezes Bonus Card accounts after 'illegal access'
Thousands of Iceland Bonus Card customers have been caught up in a security breach which saw criminals illegally access accounts and a large number of cards cancelled as a precaution, MoneySavingExpert.com can reveal.
The supermarket, which stressed its own systems have not been hacked, has alerted the Information Commissioner's Office to the incident. It says it's "confident" no-one has lost money as a result of the criminal activity.
It wrote to affected customers about the incident earlier this month. Many were locked out of their accounts and left unable to use their cards for up to 10 days, though they should now have received replacements.
For more info on keeping your passwords safe from security breaches, see our 30+ Ways to Stop Scams guide.
What is Iceland's Bonus Card scheme?
It is a savings scheme which lets you put money directly onto the card, either online or in store, to be spent in Iceland stores.
The scheme gives you an extra £1 for every £20 saved onto the card – equivalent to a 5% bonus – and is especially popular with shoppers saving for Christmas.
Other supermarkets run similar schemes, but we warn against keeping your cash in them for too long as they don't offer the same savings protection as a bank account. See our Supermarket Xmas Boost guide for more info on how they work.
Iceland says a "small number" of accounts were illegally accessed using login details stolen in other organisations' security breaches – though it says it does not know which.
It's understood that the number affected by the incident is in the low thousands, though it's not clear if all those affected had their accounts illegally accessed. We've asked Iceland for full info and will update this story when we learn more.
Iceland says that while it's suspended affected accounts as a precaution, it's confident no-one will have lost money as a result of the issues. But if you are concerned you've had money taken, you can call Iceland's customer care team on 0800 328 0800.
What do Iceland's customers say?
Bonus Card customers have taken to social media to report receiving letters – pictured below – saying their accounts had been compromised:
What should I do if my account was affected?
If you were affected, you should have received a letter from Iceland telling you your account has been suspended – they were sent out around 7 November.
Iceland has warned that it isn't contacting customers by email about this issue – so if you receive an email telling you you're affected, it could be from 'phishing' scammers.
If you are affected, you can reactivate your account by logging in and changing your password.
Your new Bonus Card will have been posted to you automatically, and you should have received it by now, but if you haven't call Iceland customer services on 0800 328 0800.
If you have the same password for other accounts, you should change these too – see our Password Security 60-second guide for more help.
What does Iceland say?
A spokesperson said: "Iceland has identified instances of unlawful access to a small proportion of its customers' Bonus Card accounts, using login details and passwords stolen through security breaches at other organisations. We have taken action to stop this and, as a sensible precaution to protect our customers, we have temporarily disabled the accounts and related Bonus Cards concerned.
"There has been no breach of Iceland's own systems, nor any loss of data from Iceland itself.
"Criminals have been able to achieve this unlawful access because members of the public sometimes use the same password across multiple websites: this enables hackers to make use of stolen passwords from previous security breaches of other websites. We strongly recommend that customers adopt a unique password for every website they use.
"Iceland has engaged forensic cyber-security experts who have helped to conduct a full investigation of the issue, and has adopted additional security monitoring to detect and prevent further unlawful attempts to access customers' accounts."
We've approached the Information Commissioner's Office for comment and will update this story when we hear back.
If you've been affected by this issue, let us know at email@example.com.