Cyber Incident Victim: Boots UK

In early March 2020, Boots UK suspended all payments made through its Advantage Card loyalty scheme following unauthorized attempts to access customer accounts. The incident, detected on or around March 4, 2020, involved attackers using stolen credentials from previous third-party breaches to compromise accounts through password-stuffing techniques. Boots confirmed its internal systems remained uncompromised, with the breach originating entirely from external sources leveraging reused customer passwords. The company immediately disabled the functionality allowing customers to redeem Advantage Card points for purchases both in physical stores and online as a containment measure, though customers could still accumulate points during transactions. This suspension aimed to prevent attackers from fraudulently spending stolen loyalty points while Boots investigated the incident's scope.

The attack affected fewer than 150,000 of Boots' 14.4 million active Advantage Card accounts, representing less than 1% of the user base. Boots could not immediately provide exact figures due to the ongoing investigation but confirmed no financial data or credit card information was accessed. Impacted customers received direct communication from the company, with Boots committing to restore any points fraudulently spent by attackers. While the points redemption system remained temporarily disabled, the retailer worked to restore full functionality promptly. The company reiterated that the breach resulted solely from credential reuse across multiple platforms and advised affected users to reset passwords with unique credentials. This incident occurred shortly after a similar password-stuffing attack compromised 600,000 Tesco Clubcard accounts, highlighting broader industry vulnerabilities to credential-reuse attacks during this period.