Cyber Incident Victim: New World
Date:
Jul 2025
Location:
New Zealand
Summary
The loyalty program of a major supermarket chain experienced a cybersecurity incident in which attackers attempted to access accounts using common passwords. Investigators found that some accounts with weak or reused passwords may have been accessed without authorization, while most customers were informed their accounts were not compromised, and the company said it is collaborating with cybersecurity specialists and has apologized for the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On Friday night, members of the New World Clubcard loyalty and online shopping programme received an email informing them of a recent cybersecurity incident that had affected a number of their accounts. The email stated that the supermarket’s technology team had identified suspicious external activity in which scammers attempted to gain access to accounts by trying commonly used passwords across many usernames. According to the investigation, it appeared that some New World Clubcard accounts with weaker or reused passwords may have been accessed without the cardholder’s authorization. The message noted that most customers were told their individual accounts had not been affected, but the supermarket advised all recipients to change their passwords as a precautionary measure. The email emphasized that the company was working with cybersecurity experts to ensure the security of customer data and to prevent further unauthorized access.
The incident prompted a public warning for supermarket customers to update their passwords, reflecting concerns that credential‑based attacks could compromise personal information linked to the loyalty programme. While the email did not specify the exact number of accounts impacted, it indicated that the scope was limited to a subset of New World Clubcard members whose passwords were weak or reused across other services. No details were provided about what data, if any, was exfiltrated or how the suspicious activity was initially detected beyond the password‑guessing attempts. The supermarket’s parent company, Foodstuffs, did not respond to requests for comment from RNZ News regarding the incident.
In response to the event, New World reiterated its commitment to customer privacy and security, issuing an apology for any inconvenience caused by the breach. The company stated that it had taken actions to protect customers and strongly encouraged them to establish refreshed, strong passwords. No further technical details about containment measures, forensic findings, or timeline of the attack were disclosed in the available source material. The narrative concludes with the supermarket’s assurance that it continues to collaborate with cybersecurity specialists to safeguard its systems.