Rewards and loyalty programmes have become a common facet of the retail industry, encouraging shoppers to spend more in order to save more. Programmes such as Fly Buys and American Express offer rewards to their customers for shopping with their selected partners while supermarkets such as New World and Countdown provide their customers with club cards that offer discounts and points for buying with them. To become a member of these programmes consumers must pass over their private information to a third party, so how safe is consumer information and what effort do supermarkets go to protect it?

Loyalty programs implemented by retailers are designed as strategic marketing concepts that retain existing customers through promotions and reward opportunities that are exclusive to members, while at the same time attracting new customers.

Not only are the programmes a positive for customers but they are also a bonus to retailers. Obtaining customers and attracting new ones is not the only positive for supermarkets, as the data collected offers them insights and additional customer information. When regarding supermarket rewards schemes, the customer accounts let supermarkets see shoppers spending habits allowing them to track what items are popular and thus what items to promote.

According to a Boston University College of Communication study, 86 percent of American shoppers use some form of store card or discount card, "and the majority of them say the benefits of the card are worth giving up some privacy."

Under the New Zealand Privacy Act an agency that holds personal information must protect that information with security safeguards, and that if the information is given to a person in connection with the provision of a service to the agency, everything reasonably within the power of that agency must be done to prevent unauthorised use or unauthorised disclosure of the information.

“The Business, organisation, department, club or society that holds personal information, should ensure that the information is reasonably protected against loss, misuse, and unauthorised disclosure,” said Charles Mabbett, Senior Communications Adviser, Office of the Privacy Commissioner.

It is not uncommon for shoppers to be targeted through their rewards cards. Recently Woolworths Australia was the victim of a rewards points scam that saw 130 exposed to fraudulent activity on their cards. The accounts of customers were accessed using a login and password which suggests that a third party website was involved. In a statement, Woolworths said that they had investigated the incident and found no evidence to suggest that its systems had been breached. Fraudsters instead were suspected to have obtained the login credentials from online scams or other sources.

“We get regularly get advised of data breaches – usually accidental but sometimes malicious – and in some cases, the people affected by these data breaches feel they have suffered some form of harm. They have a right to make a complaint to our office for us to investigate. We first try and mediate a settlement between the provider and the complainant. This might mean an apology and/or some kind of compensation for the harm caused by the breach. If a settlement can’t be reached, the complainant can take their case to the Human Rights Review Tribunal which can award damages,” added Mabbett.

This is, unfortunately, not uncommon with other supermarkets having had similar experiences. Most supermarkets such as Pakn’Save and New World have pages on their websites to warn customers against such incidents. New World has a scam alert page that lists current suspicious activity as soon as they become aware of a scam. Countdown has a similar page that warns customers not to give out their personal information to anyone proclaiming to be from the supermarket chain and that if they do, to report it to NetSafe or the Department of Internal Affairs’ Electronic Messaging Compliance Team.

“Security of personal information is important to us, and we take all reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure. We have significant controls in place throughout our systems which include data security auditors supporting the team to ensure we avoid breaches.  To date we have not experienced any incidents,” said a spokesperson from Foodstuffs. “The one thing that does concern the business is the increasing sophistication of attempts to scam customers with emails or text messages which use our branding.  We update our scam alerts regularly and have been working with CERT NZ to develop materials to advise customers what they should be looking for. Next week is Cyber Smart Week – it’s important that all New Zealanders take appropriate steps to protect their data.”

While a spokesperson from Countdown added that “we haven't had any security breaches here in New Zealand.  We take our responsibilities around privacy seriously and review our security regularly. “