A number of Woolworths' customers have claimed their rewards cards have been hacked and they've had their accumulated loyalty points stolen.
It's believed the hack has happened through the company's app, which allows anyone to enter a random card number to see the points balance without needing a password.
The user can enter the number in a rewards card app to generate an image of the barcode that they can then use at the checkout to claim any discounts.
OzBargain forum user jjj123 started a thread about their card being hacked with hundreds of people jumping on to claim the same thing had happened to them.
"My new Woolworths rewards card has been hacked, points already used in other state while I only received [it] today," jjj123 wrote.
"Applied for the card last month with 5000 points bonus, I received the card today, login, and found the points were used in other state two weeks ago.
"Anyone same situation with me? Who can access the card number before me? The envelope received today sealed in a unopened condition."
Several users shared their similar experiences.
User Ruper Murduck wrote: “Very odd, had one delivered to an address in Parkes NSW, and when I went to use it, the rewards were gone, looked online and someone in The Ponds near Blacktown NSW had redeemed them first. What in the world.”
User Blasted said their $20 had been used on a gift card they did not purchase, but Woolworths customer service had refunded the points and changed the card number after being contacted.
“Still haven’t received my Woolworths Rewards card in the mail so I thought I’d check my Woolworths account to see that my $20 had been redeemed today in Kingsgrove, which three-and-a-half hours away from me,” wrote Frosty1.
The pattern continues with several other people claiming $20 was redeemed at Kingsgrove on unused cards.
“Looks like a breach of the IT system to me and is concerning since I use only the WISH gift cards for all my Woolworths purchases,” F1ngolf wrote.
User Clem said points were stolen from both of the new cards they had ordered.
“One was $20 exactly at Kingsgrove, and the other was an actual spend at Box Hill,” they wrote.
“This guy better lawyer up because I hope Woolies hits him like a train.”
A Woolworths spokesperson said the supermarket is monitoring customer feedback.
“Although our investigation shows there is no issue with the functionality and security of the app, we are reviewing how the app experience can be better improved to provide further assurances for customers,” he said.
“We work hard to ensure our customers’ shopping experience is efficient, seamless and importantly, safe and secure. We take our obligations in relation to customer data very seriously, and have robust controls in place to ensure customer expectations of privacy and security are met."
A number of users have ventured a guess at how the masterminds manage to hack into the cards.
It’s not clear how the culprits identified the correct barcode numbers. “Possibly someone ordered a bunch of Woolworths Rewards cards, noticed a pattern in how they are numbered, created barcodes for the next numbers in the sequence and used them to redeem your points,” Durd0008 wrote on the forum.
“It’s entirely possible that for Woolworths Rewards they just increment each member number by 1, and because the membership number is also a barcode, the only security in it is knowing the last number is a check number. [For example], my card could be 9353000000008 and the next person would be 9353000000015.”
User catchganu also claimed they were hacked but said if users call the support line Woolworths "will send you another card with 4000 points - $20 worth".
Woolworths said their apps are "constantly reviewed for any improvements in functionality and security".
The current program offers one point per $1 spent at Woolworths supermarkets, Woolworths online, BWS and Caltex Woolworths fuel outlets.
Users then have the option of automatically redeeming points for money off their shopping, saving them up, or converting them to Qantas Points.