New World, one of the leading supermarket chains in New Zealand, has confirmed it was the target of a cyber attack. Members of its popular Clubcard loyalty programme have been urged to update their passwords immediately.
“Our technology team has identified suspicious external activity where scammers have attempted to gain access to accounts by trying commonly used passwords across many usernames. Based on our investigation, it appears that some New World Clubcard accounts with weaker or reused passwords may have been accessed without the cardholders authorisation,” New World said in a statement.
While most customers were informed that their accounts were not compromised, they were advised to change their passwords to ensure safety. Members are encouraged to create stronger passwords following these guidelines:
- Use at least 12 characters to increase password strength.
- Include a mix of uppercase and lowercase letters, numbers, and at least one special symbol.
- Avoid using easily guessed words, predictable patterns, and personal information such as names or birthdays.
- Ensure each password is unique and not reused across different accounts.
New World said its systems have not been breached and that it is actively monitoring for any additional malicious activity.
“We sincerely apologise for any inconvenience. Your privacy and security are extremely important to us, we have taken these actions to protect you and strongly recommend you establish a refreshed and strong password,” New World said.
New World owner Foodstuffs said the activity matched a “password spraying attack,” in which common or previously compromised passwords are tried across numerous accounts.
“We want to reassure our customers that Foodstuffs’ systems have not been breached or compromised in any way. The issue has arisen where some customers’ passwords have been successfully guessed by scammers using automated tools,” a Foodstuffs spokesperson said.
Besides advising New World Clubcard members to update their passwords, Foodstuffs announced it has temporarily suspended the redemption of New World Dollars on affected Clubcard accounts and deleted any stored payment tokens associated with those accounts.