What: Cybercriminals target Sainsbury's loyalty programme members through unauthorised access and point redemption scheme.

Why it is important: This incident reveals a critical security challenge for retailers as loyalty programmes evolve from simple point-collection systems to valuable digital assets requiring sophisticated protection measures.

Sainsbury's Nectar loyalty programme members are experiencing a significant surge in points theft, with one customer reporting the loss of two years' worth of accumulated points. This follows an earlier investigation that uncovered  GBP 63,000 worth of stolen Nectar points over a one-year period, prompting the implementation of a "lock" feature for all accounts. The primary attack method involves unauthorised access and rapid redemption of points at unfamiliar locations, suggesting the use of credential stuffing, phishing, or security vulnerability exploitation. While Nectar maintains that only a small proportion of accounts are affected and highlights protective measures like the "Spend Lock" feature, the recurring incidents indicate an ongoing targeted campaign against one of Europe's largest loyalty programmes. Security experts are particularly concerned about the timing of these attacks during peak accumulation periods like Christmas.

IADS Notes: The Sainsbury's Nectar points theft incident in June 2025 aligns with a broader pattern of sophisticated cyber attacks targeting retail loyalty programs. This follows May 2025's revelation of a complex cybercrime supply chain specifically targeting retail loyalty programmes, where criminals sell stolen credentials for as little as GBP 5. The timing is particularly significant as it coincides with industry data showing ransomware accounting for 30% of retail security incidents, with average losses reaching GBP 1.4 million per attack. The vulnerability of loyalty programs has become increasingly critical as retailers expand their digital engagement strategies, while the Co-op's recent cyber attack affecting 20 million customers demonstrates the scale of potential breaches in major retail loyalty systems.

RH-ISAC: Sainsbury’s rewards programme targeted by malicious actor for monetary gain