Criminals Using AI to Harvest Loyalty Card Points in Growing UK Black Market

British loyalty card points are being stolen on a large scale by criminal networks that use artificial intelligence to generate valid card numbers and create fake barcodes, feeding a black market now estimated at about £300 million, the Daily Mail reported Monday.

Security specialists and industry sources told media outlets that the thefts are affecting a broad range of supermarket and retailer schemes, including Nectar and the Boots Advantage programme, and that roughly one in 20 consumers may have been targeted. Analysts cited in reporting estimated that as much as £6 billion in loyalty points sits unclaimed across UK accounts, creating a lucrative opportunity for organised criminals.

Frank Teruel, chief operating officer of anti-cybercrime platform Arkose Labs, described the activity as "loyalty card cyber warfare," telling The Sun on Sunday that the attacks are analogous to stealing cash but much harder to police when carried out remotely. He said criminals use automated tools and AI to generate random card numbers until a valid account is found, then convert points into spendable value with counterfeit barcodes or by moving rewards to mule accounts.

The Daily Mail cited individual victims whose accounts were drained. Julie Dowling, 50, of Crayford in Kent, reported 46,000 Nectar points—about £230—taken from her account in June; the points were later refunded, the report said. Another customer, Gail Birch of Bridgnorth, had 15,800 Nectar points, approximately £79, removed in February. The thefts were traced to other parts of the country, underscoring the remote nature of the attacks.

Retailers and loyalty operators have deployed a range of technical and account controls to limit fraud. Nectar introduced a "Spend Lock" feature in February to allow members to freeze their ability to redeem points while still collecting rewards and offers; the lock must be removed before points can be spent. The rollout followed an investigation by consumer site This Is Money that reported 12.5 million Nectar points—worth nearly £63,000 at the time—had been stolen from readers over the previous year.

Boots has previously suspended Advantage Card payments in reaction to attempts to access large numbers of accounts. In March 2020 the retailer halted some services after what it described as attempts to break into roughly 150,000 customer accounts using stolen passwords, according to contemporaneous coverage. In the same month Tesco reissued Clubcards to about 600,000 customers after attackers tried passwords obtained from other breached platforms against its website, illustrating the long-running problem of credential-stuffing and cross-platform account compromise.

The Competition and Markets Authority, which carried out a broad review of supermarket loyalty pricing last year, found loyalty schemes do produce "genuine savings" for many customers while cautioning that members should still compare prices. The CMA said its analysis of about 50,000 loyalty-priced products showed 92% offered savings versus usual prices and that loyalty discounts could be worth up to about 25% on some items. As part of its review the watchdog examined how supermarkets collect and use consumer data when customers join loyalty schemes and reported it did not find evidence of consumer law breaches on that basis.

A Sainsbury's spokeswoman said Nectar is one of the UK's largest schemes, with more than 23 million members, and described account security as the operator's "highest priority." The spokeswoman said the proportion of members affected by fraud each year is small and reiterated that the chain uses a range of detection measures, including the Spend Lock feature, and operates a helpline to support victims. The Mail said it had contacted Boots for comment.

Cybersecurity experts and industry figures said the combination of long-held unspent points balances, simple numeric card identifiers and automated attack tools has made loyalty schemes an attractive target. Unlike physical thefts, the remote and often cross-border nature of points conversion complicates enforcement and recovery. Retailers and scheme operators continue to deploy technical barriers, monitoring and customer support to reduce losses, while regulators and consumer groups monitor the industry for risks to customers.

The scale of the problem and the diversity of countermeasures underline the evolving security challenge for retail loyalty systems as criminals adopt more sophisticated tools, including machine learning and automation, to probe and exploit account weaknesses.