Morrison More Breach - It's all the customer's fault!

Gary9960

It is a legitimate site.
Well then Morissons customer service e mail, has been hacked

no1catman

Joolsem wrote: »

21st May 2019 I had £30 of more points stolen. My vouchers were spent in Ft.William which is round trip of over 1000 miles from where I live. I only had the app for a short while, as I didn't like it much. I also had Tesco's clubcard app which at the time had same email & passw

Why would you have the same password for both?

Tesco several years ago went through a period of problems over Voucher Fraud - so it's no wonder that they are safer, Clubcard have more safeguards built into the system to prevent unauthorised use. Whereas Morrisons may believe that the 'password' is enough.

You could go to Action Fraud.

davea1_1

I have this situation and luckily it’s only £5 or £10 that has been taken. Conflicting information given by customer services, told one had been used online to then be told it had been used in a store 40+ miles away.
They won’t budge on refunding citing the data breach website as the fact someone has used my login credentials.
I’ve now exercised my right under GDPR to make a data subject access request (DSAR) where they have to provide all the information that they hold on me within 1 calendar month so I would suggest anyone with the same problem does the same.

I await a response but in the meantime they’ve lost another customer (again). Kicking myself as had already converted to Aldi but fell for a recent ‘bonus points’ offer....

Cookiekel83

Well I’ve now been a victim of Morrison’s more card theft as well I went on today to redeem some vouchers as needed to do shopping. I knew I had at least £160 saved up for when I needed them. When I logged in I was missing around 150,000 points!!! So I called them and they advised me that I redeemed £150 in June?? I told them it wasn’t me and that I hadn’t done this he then went on to tell me my email had been hacked and there was nothing they would do! Now I know this isn’t the case as I have my email setup and frequently change the password plus I have alerts setup if it’s hacked!! So someone in my opinion has hacked them got my details! My bank details are saved on my shopping account and this hasn’t been effected at all!! He told me he couldn’t tell me where they were used. I have raised this with action fraud but it seems we are all being informed the same thing £150 is a lot of money and I won’t rest until they sort this! Needless to say I will not be continuing to shop with them!

greenchoc11

£15 stolen from me. Same rubbish about being hacked, now ignoring my further emails to them. Would encourage everyone to report to watchdog , if enough do they might report the story

davea1_1

Yep, I reported to Watchdog, too. I’m also considering going to the local paper (T&A) which is the same local paper that covers their Head Office.
How can we believe what they are saying? I’m sure it wasn’t too long ago that an employee was found guilty of leaking personal details.

no1catman

Surely the first priority is Action fraud!? And, how do you know you haven't been 'hacked'? Have you accessed your account at home, or in a public place with other people about?

Browntoa

Pwned site is genuine , it means your email address is on openly available hacked lists .

Can be from either

Web site database hacked ( no proof of Morrisons being hacked )

User stupidity , click on link in scam email to "reset password"

User stupidity , allowed malware to be installed on pc or device by clicking on email link or pop up saying "update required" etc.

I have one of my email address on that pwned site from a forum hack ( not this one ) but my main email address does not.

Morrisons do have a point

davea1_1

But I have serious misgivings around their online security.
1. You change password on the website but the app remains logged in and allows details to be changed, such as changing the voucher preferences, without asking you to sign in again. Presume this is why they tell you to report your card as lost or stolen as someone could still use your card details.
2. Lack of multi-factor authentication (such as texting you a unique number to enter when logging in) - especially as money is involved.
3. Website says you can’t use a previous password when changing password but accepts it (and confirms it has been changed) as well as allowing you to ‘change’ it to the same password (again, telling you your password has been changed).
Anyone with the app on an iPhone can try 1. above and everyone can try 3.
Secure? I don’t think so

greenchoc11

In reference to Browntoa, I used a unique password for each of my sites. I do not have malware or fall subject to phishing or anything like that, so I would not put it down to "user stupidity". Their website has serious security flaws such as no OTP, not notifying when a new device has been linked to your account when you change the password then it still leaves the app logged in and also the fact that there is no waiting period like there is in the redemption of clubcard points. There are many ways that someone could have gained access to passwords - internal leak, a hack occurred that they haven't admitted to or detected, someone brute-forced the site and got a working list of passwords to sell on. Morrisons should take responsibility for their low security and refund customers - like banks do. The final email I sent got a reply saying they are looking into making the app more secure with a unique pin on the app - bit too late for all of us though