Auchan Suffers Another Data Breach, Exposing Customer Loyalty Data

The Auchan retail chain has fallen victim to a cyber incident targeting its customer loyalty program. This time, attackers gained access to the personal data of clients registered in the Waaoh loyalty scheme. Information released publicly includes details sufficient to build complete customer profiles: salutations, first and last names, addresses, phone numbers, email addresses, and card data. While the company assures that no financial details, passwords, or PIN codes were compromised, the mere fact of exposure creates heightened risks of targeted phishing and identity theft.

To prevent fraud involving accumulated rewards, Auchan temporarily disabled the cards of affected customers. Restoring access requires clients to visit stores in person, where new cards are issued. This measure underscores the gravity of the breach: the very architecture of the loyalty system has become a point of weakness. Notably, the official letter sent to customers on August 21 is almost word-for-word identical to the notification they had received following the previous attack in November 2024.

The company has informed the French data regulator CNIL, in compliance with the European GDPR framework. Its statement emphasizes that the incident has been contained and that the response was undertaken “with maximum rigor.” However, no technical details have yet been disclosed: how the intruders gained entry, how long the access persisted, or who may have been behind the attack. It also remains unclear whether this was an isolated event or part of a broader pattern of compromises, such as the 2024 breach that put more than half a million customers at risk.

Particularly troubling is the repetition of the scenario. A notification nearly identical to the previous one risks being perceived as a perfunctory response, failing to reflect the true depth of the issue. At the same time, the case highlights the vulnerability of loyalty services. These platforms store not only records of consumer habits but also full sets of contact details, which in the hands of cybercriminals become powerful tools for phishing. With simultaneous access to names, addresses, and emails, attackers can craft highly convincing fraudulent messages impersonating the company, luring victims into divulging sensitive information.

Auchan has urged its customers to remain vigilant and to ignore emails, phone calls, or messages requesting logins, passwords, or verification codes. A dedicated hotline has been set up to assist those affected. Yet the broader picture raises a critical question: are auxiliary services such as loyalty programs being secured with the same rigor as core business systems? This incident demonstrates vividly that the weakest link often lies where it is least expected—and that the risks of identity theft remain alarmingly high.