Deeside resident anger after Iceland said he was to blame for his bonus card details being hacked

A Deeside resident has been left fuming at one of the region’s biggest companies for its “sheer incompetence” in dealing with a data breach which has seen criminals illegally access some of its ‘Bonus Card’ customers accounts.

Deeside based Iceland has temporarily frozen a large number of Bonus Card accounts and issued replacement cards after it was discovered there had been unlawful access to “small number” of accounts.

The popular Bonus Card scheme pays shoppers £1 for every £20 saved or £2 for every £20 saved between October 29 and November 25 2018, up to a maximum of £1,000.

The saga began for one Iceland customer on November 10, local resident Simon Flynn got in touch with Deeside.com after he received a letter from the supermarket giant signed by Chief Executive Officer Tarsem Dhaliwal.

The letter said the company had detected evidence “that a small number of Iceland Bonus card accounts had been illegally accessed in the last few days.”

It goes onto to say that although Iceland systems had not been “hacked” criminals have used stolen login and password details from “other security breaches.”

Chief Executive Officer then goes onto to bizarrely blame Bonus card users for the data breach “because you have used the same password on multiple websites.”

It’s a claim which Mr Flynn flatly refutes he told Deeside.com “My Iceland password is unique to Iceland. I do not use it anywhere else, so them saying its because I use the same password on multiple websites is completely false.”

Mr Flynn said that despite receiving a replacement card the balance on his account, which is nearly £200 is showing £0.00 online, he said Iceland customer service still can’t tell him when it will appear.

The budget frozen food retailer still hasn’t communicated to Mr Flynn as to why the new Bonus Cards can’t be used online.

“I have wasted hours now trying to get it working online, visiting a shop to get my balance, and calling the help desk,” he said.

Mr Flynn is now looking to pursue a legal route to recover the money he can’t access if the issue isn’t resolved this week, he said:

“It’s now been almost three weeks since that ridiculous letter from your CEO, in which he wrongly blames me, saying that I used the same password on all my online accounts.

This is simply not true, and I very much resent him writing that, to say nothing of being astonished that he would do so.

I’m afraid that if Iceland cannot sort this out within the next week, then I will pursue a legal route to recover the money I cant use.”

A spokesperson for Iceland said:

“Iceland has identified instances of unlawful access to a small proportion of its customers’ Bonus Card accounts, using login details and passwords stolen through security breaches at other organisations.

We have taken action to stop this and, as a sensible precaution to protect our customers, we have temporarily disabled the accounts and related Bonus Cards concerned.

“There has been no breach of Iceland’s own systems, nor any loss of data from Iceland itself.

“Criminals have been able to achieve this unlawful access because members of the public sometimes use the same password across multiple websites: this enables hackers to make use of stolen passwords from previous security breaches of other websites.

We strongly recommend that customers adopt a unique password for every website they use.

“Iceland has engaged forensic cyber-security experts who have helped to conduct a full investigation of the issue, and has adopted additional security monitoring to detect and prevent further unlawful attempts to access customers’ accounts.”

Deeside.com contacted the Information Commissioner’s Office on November 12 for a comment, we are still awaiting a response.