What does Iceland say?
A spokesperson said: “Iceland has identified instances of unlawful access to a small proportion of its customers’ Bonus Card accounts, using login details and passwords stolen through security breaches at other organisations. We have taken action to stop this and, as a sensible precaution to protect our customers, we have temporarily disabled the accounts and related Bonus Cards concerned.
“There has been no breach of Iceland’s own systems, nor any loss of data from Iceland itself.
“Criminals have been able to achieve this unlawful access because members of the public sometimes use the same password across multiple websites: this enables hackers to make use of stolen passwords from previous security breaches of other websites. We strongly recommend that customers adopt a unique password for every website they use.
“Iceland has engaged forensic cyber-security experts who have helped to conduct a full investigation of the issue, and has adopted additional security monitoring to detect and prevent further unlawful attempts to access customers’ accounts.”
We’ve approached the Information Commissioner’s Office for comment and will update this story when we hear back.
If you’ve been affected by this issue, let us know at firstname.lastname@example.org.