The spokesman said no personal credit card data has been compromised: “Foodstuffs never stores full [credit] card numbers.”
However, a New World Clubcard account can have “New World dollars” loaded to it, earned under a rewards scheme, that can be used to buy groceries.
“As a precaution, we have temporarily disabled the ability to redeem New World dollars on affected Clubcard accounts and removed stored payment tokens linked to them,” the spokesman said.
Citing security, the spokesman would not answer questions about whether scammers had been able to order groceries, whether refunds had been paid if they had, or how many accounts were affected.
“To restore access and ensure ongoing protection, we are asking affected customers to reset their passwords, choosing a strong and unique passphrase,” the spokesman said.
Expert’s concerns
Hamish Krebs, a cybersecurity incident response expert with security firm CyberCX, who also happens to be a New World customer, got the Foodstuffs email this morning as a New World Clubcard customer. Like a number of other customers, he was told his account was not affected but that in keeping with “security best practice” he should update his account anyway.
In Krebs’ view, any transactional site should require a strong password from the get-go.
He said he could also only find one “two-factor authentication” option in the New World Clubcard app – to have a code sent to a cellphone number. He said the drawback was that once logged into a Clubcard account, a scammer could change the associated cellphone number to their own.
Krebs said a scammer who accessed a Clubcard account could spend a customer’s New World reward dollars – but because a credit card could be tied to an account, they could also spend beyond the rewards balance “and buy $500 worth of beer and wine and get that delivered to any address or click and collect”.
As a New World customer, I placed an order through New World’s app, going beyond my Clubcard rewards dollar balance of $10.73 to place a $19.73 click-and-collect order with the balance charged to my stored credit card without a three-digit security code being requested.
Once logged into the New World Clubcard website, items could also be added to an order – and charged to a saved credit card – without a security code being requested.
Ability to charge but credit card details not visible
While it seems the scammers had the potential ability to charge New World purchases to the credit card associated with a compromised account, they could not see the card number, name, expiry date or three-digit security number.
“We store an encrypted token, not credit card details,” the Foodstuffs spokesman said.
“That allows the credit card to be used in transactions but ensures the card details themselves are not at risk.
“For the customers successfully targeted by the attackers, we deleted the encrypted tokens, ensuring that if the attackers attempted to use their account to order online [once the breach had been discovered], they would not be able to make a payment, thus protecting our customers.”
Change your password
“To restore access and ensure ongoing protection, we are asking affected customers to reset their passwords, choosing a strong and unique passphrase,” the Foodstuffs spokesman said.
“We are closely monitoring for any further malicious activity and working alongside external cybersecurity experts to further reinforce our defences.
“We apologise for the inconvenience. Protecting our customers’ privacy, data and trust is a top priority, and we are taking every step to respond quickly.”
Foodstuffs’ password recommendations
Foodstuff recommends customers follow the guidelines below when resetting their New World Clubcard password.
CyberCX’s Krebs said he agreed with all the guidelines, including the recommendation to “use at least 12 characters” but that as of this morning, after receiving Foodstuffs’ warning email, he still had the option in the New World Clubcard app to set a less secure six-character password.
- Use at least 12 characters. Longer passwords are harder to crack
- Mix character types
- Include uppercase, lowercase, numbers, and at least one of these symbols (!@$%^&*()_+=-{};:’“,.<>?|~`)
- Avoid common words and patterns
- Don’t use easily guessed words like password, 123456, or qwerty
- Don’t use personal information
- Avoid names, birthdays or addresses
- Use passphrases
- Combine unrelated words into a phrase (eg BlueTiger!Drinks7Coffee)
- Don’t reuse passwords across different accounts
Foodstuffs ‘doing the right thing’
A second cyber security expert was more positive in his take on Foodstuffs’ response.
“This is a common form of attack in which passwords have been lost in another breach, or attackers are simply trying to guess common passwords,” Aura Information Security general manager Patrick Sharp said.
“It is not a data breach, and is not caused by a weakness in New World’s systems.”
A password manager, such as LastPass or Bitwarden, is a good way to manage complex passwords on many sites effectively, Sharp said. The latest web browsers also act as password managers, suggesting strong passwords then remembering them for you (as long as you remember your master password to access your “vault” of logons).
“Foodstuffs are doing the right thing communicating proactively about this – they’ve given good detail and great advice,” Sharp said.
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.
