Furious members of the scheme have bombarded the supermarket chain and social media with reports of fraudulent transactions on their accounts — some of them targeted several times, to the tune of hundreds of dollars.

“Someone just stole my rewards credit to pay for their groceries. I got the notification on the app that I had a new receipt and had used my $30 credit,” one woman wrote on a Facebook group with 280,000 members.

“I live in Sydney and the transaction was made in Brisbane. I tried to contact Woolworths with no luck, apparently they are receiving a huge number of calls.”

Another wrote: “I have had this happen four times in the last few months. Woolworths are great when you get through on the phone but I got sick of having to do it.”

A fellow shopper added: “This happened to me last year, I eventually got my credit back but unsure how it’s happening so often.”

Woolworths denies its program has been formally hacked — or that there is a widespread problem — but has more than 100 cyber security staff “constantly monitoring for potential threats”.

It confirmed it was “assisting a small number of members” who had fallen victim to unauthorised access.

“We have been assisting some members who appear to have been the victim of unauthorised access to their Everyday Rewards accounts,” a Woolworths Everyday Rewards spokesperson said.

“And in the cases reported to us, accounts have been accessed using valid login or account details.

“This indicates fraudsters have likely obtained these members’ login credentials and account details from online scams or other sources.”

To combat the theft, Woolworths has introduced a number of security measures to its Everyday Rewards program, including two factor authentication on the website. Customers are being urged to change their passwords.

As an additional safety measure, members who have chosen to “Bank For Christmas” will need to use the Everyday Rewards app in order to release funds prior to December 1.

Security Awareness Advocate at KnowBe4, Jacqueline Jayne, said we were seeing “next level data being breached and stolen”.

“With the latest release of the personal health information we have seen (through the Medibank hack), we are at another level that has the potential to cause immense personal stress to individuals, which is new for us all to manage,” she said.

“Most IT Teams in organisations worldwide, including Australia, are, for the most part, doing everything they possibly can to protect against cyber attacks. No matter how good and advanced they are, cybercriminals still prevail.”

Ms Jayne said there were a number of steps Australians could take to reduce their security risk, including getting a password manager, enabling a multi-factor authentication and being extra vigilant to scam emails and texts.

“As consumers, need to accept that our basic and unique identifier data will be stolen,” she said.

“We need to apply more levels of protection and basic cyber hygiene and realise that cybersecurity is everyone’s responsibility.”

TIPS FOR CUSTOMERS

1. Change your Everyday Rewards password if you’ve used it for another account online, making sure passwords are unique for all online accounts.
2. Update your passwords to stronger passphrases, including numbers and special characters like ILOVE2ReadB00ks! and 2beornot2B?
3. Take a closer look at who is contacting you and be suspicious of calls, SMS or emails that don’t seem genuine. Everyday Rewards will never ask for your login details via phone or SMS.
4. Log out of your accounts and lock devices as soon as you’re finished.
5. Download the Everyday Rewards app and turn on ‘push notifications’ to keep track of any transactions on your Everyday Rewards account.

More Coverage

targeted several times,

Adella Beaini

‘If they fall, we all fall’: Invisible toll of Optus, Medibank hack

Adella Beaini