Last summer, members of an online forum for Canadian consumers noted a rash of disappearing balances on electronic gift cards issued by Walmart.Ìý
The thread grew for nearly a year with people reporting hundreds, sometimes thousands, of dollars vanishing from digital cards.
Had they all been hacked? Did they discover a security breach at Walmart?
For months, the group had more questions than answers but one thing was certain. Their money was gone.Ìý
Walmart Canada told the Star it is “not aware of a widespread issue pertaining to e-gift cards.”Ìý
The Problem: A vanishing balance
Denni Wong, a pc28¹ÙÍøcybersecurity specialist, spent five months trying to recoup $200.
But his pursuit for accountability was never just about recovering his own money.
“On at least six occasions, Air Canada did the exact same thing and separated us at the last
“I’m just a small fish here,” said Wong, adding that other shoppers have reported losing thousands.
“A lot of people don’t have the energy to go through this and fight,” Wong said, so he reached out to many online, asking them to send him their stories to help him understand the scope, and potentially the source, of the problem.
His odyssey began last November. He was en route to pick up an iPad he’d ordered online, when Walmart emailed him to say his order had been cancelled.
He had paid for part of the order with a $200 Walmart gift card he’d redeemed using Air Miles. The company followed up with another message letting him know it had transferredÌýhis refund to a new electronic gift card.Ìý
When he tried to use the gift card a week later, the payment wouldn’t go through. The card’s balance was $0.Ìý
He diligentlyÌýtracked his efforts to get help from Walmart using aÌýspreadsheet. Among theÌý16 interactions heÌýloggedÌýwith Walmart customer service agents was oneÌýwith an agent whoÌýinstructed him to file a fraud report with police, which he did in early December.
In January, Walmart emailed Wong saying it was escalating his complaint.
Readers and experts flood my inbox after report of a pc28¹ÙÍøman needing nearly $1,400 in
In March, the company reached out again to say it was closing his case, was “not liable” and could not tell him when the card’s balance had been spent or whether it even carried a balance to begin with.
Walmart told him its “higher escalations team” recommend he change his email password; that perhaps his login credentials were compromised.
Again, the company suggested he file a police report for his “stolen funds” and linkedÌýto its webpage on preventing gift card fraud.
Wong said he’s “quite confident” the issue did not lay with him.
“Because I’m an IT professional,” he said, “I do have to check my devices periodically to make sure that my accounts or my devices are not hacked.”
Star helps: Walmart reopens case
Wong shared with the Star his meticulous notes and communications with Walmart and York Region police.Ìý
“This is not an isolated incident,” he said. “Many other customers — some of whom are sharing their experiences with me online — are facing similar problems and have lost hundreds of dollars with widespread dissatisfaction from the customer service atÌýWalmartÌýCanada.”
He directed me to an 11-page thread on , where other consumers shared similar experiences with Walmart’s electronic gift cards.
Long-time and prolific redflagdeals user, max88, collated theÌýcomplaints and spotted a pattern.Ìý
Turns out there is no surge pricing for taxis — something Peter Muto wondered about after being
Max88Ìýidentified three distinct types of gift cards sold or exchanged on Walmart Canada’s website: those purchased directly from the website, ecards provided to Walmart shoppers as a reward or promotion and those that are emailed by the company to consumers in place of a cash refund for orders it couldn’t fulfil that were fully or partially paid for using electronic gift cards. Ìý
Walmart’s refund ecards,Ìýmax88 reported, seemed to be the primary source of the problem.Ìý
“Every time there was a refund,” Wong explained, “it seems the system generated this particular email with a card number and the PIN. I wonder if this was completely visible internally at Walmart.”
If it was, it would pose a security threat. The forum members also noted the e-gift card refunds included card numbers and PINs that were astonishingly predictable and didn’t lock out users who entered incorrect data after several tries.
Wong said the group noted those vulnerabilities appear to have been fixed in the last few months.
In late March, a company spokesperson told me she would look into Wong’s complaint.
I sent her a link to the online forum and asked if Walmart had indeed experienced a security breach with a segment of its electronic gift cards.Ìý
“Walmart is confident that the security protocols it has in place in connection with the e-gift card distribution process are appropriate,” the spokesperson wrote on Friday in an email.Ìý“We take concerns of this nature seriously and work with our customers on a case-by-case basis to review their concerns, investigate and resolve issues directly with them.”
The Resolution: Wong gets his money back
The day after I reached out to Walmart on Wong’s behalf, an email landed in his inbox just before supper.Ìý
“WalmartÌýCanada has sent you a Gift Card” the subject line said. The $200 balance was intact. There was no explanation or apology.
Wong, an IT director for a major investment firm who has worked in the industry for 18 years, has a theory on what happened. He said he tried to raise these issues with the company but the subject matter went well over the heads of the employees assigned to deal with him.
The first refund Walmart emailed him, which he shared with the Star, came directly from the company.
The electronic gift card number and PIN code were both written out in the body of the message, a major faux pas in cybersecurity.
“It’s pretty amateurish,” Wong said. “If you were to buy a gift card in store, the PIN is usually hidden. You have to scrape that off. And you know when it’s scraped off, the card’s probably compromised. So in this case, they are doing exactly what shouldn’t be done, which is including all information in one email.
TheÌýCCTS saw aÌý31% rise in wirelessÌýcustomers reporting incorrect charges and a shocking 360%
“They should have separated the content of the email between the card number and the amount that’s on it and the security feature, which is a PIN in this case.”
In contrast, the refund email Wong received late last month looked much different and didn’t come directly from Walmart but from .
Buyatab supplies major retailers with online gift card infrastructure, technology and marketing services.
“If you look at the second email, you have to click on a button to go somewhere else to access the giftcard,” said Wong. “And when you go there, it makes you put in your phone number for recovery purposes. The level of security is different.”
Wong believes the change in protocol is a sign the old system had been “compromised.”
“As a consumer, if you can no longer trust that kind of payment or the retailer is not willing to step up when frauds occur, that’s a huge problem,” Wong said.Ìý
When the new gift card landed in his inbox a few weeks ago, so worried was Wong that the money might disappear again, he rushed to buy something online.
“My family was like, we’ve got to buy whatever just to spend it, that’s how anxious we were.”
He ordered six boxes of pee pads for the family dog, a purchase he said will be last with the company.Ìý
To join the conversation set a first and last name in your user profile.
Sign in or register for free to join the Conversation