Canada's largest energy company said it "believes" the information it lost to hackers was limited to customers' names and the information they "may have provided" since joining the program. Ah, the power of belief!

Well, let's just have a look, shall we? A quick search reveals that the Petro-Points program is one of the most popular marketing campaigns in Canada, with over 3 million enrolled customers. That's over 3M potential victims, until further notice.



As for the so-called "contact information" including home addresses, personal phone numbers, private dates of birth, unique email address, passwords and security questions, it also includes the location and frequency of all transactions and interactions with Petro Canada as well as RBC payment cards connected to the account. And because those points never expire, it looks like every person who has ever taken part in the program may now be a victim since the program is clearly a champion of perpetual data retention.

No word on whether financial data was impacted, but let's not forget that the program's hinge factor is the company's omnipresent mobile app whose ominous reminder seems to be hinting at something: "Whether you’re collecting Petro‑Points, starting a car wash or charging your electric vehicle, we are with you the whole way".

No kidding! Does your compromised data include every stop you've made since you installed the app? If so, perhaps Suncor's attempt at downplaying the severity of the event should instead focus on harms beyond those implied in their helpful "watch for unusual emails" recommendation.

How about a helpful reminder that lost security questions and login credentials may result in password stuffing attacks that could compromise identities?
Is it creepy that criminals might now know where your girlfriend lives? What about the exact days that you pick up your kids from school?
Is it unsettling that faceless parties might be able to reconstruct every path you've ever taken to get home for as long as that (now-disabled) app was watching?

Professors Solove and Citron have artfully argued that privacy harms exist well beyond those involving misuse of such "contact information", indicating that the psychological damage, economic impact, physical safety and the chilling effects of diverse autonomy harms are all in the cards when businesses turn loyalty programs into data brokerage opportunities.

It's true that under the circumstances, the mere offer of credit monitoring might have been considered laughably inappropriate, but any gesture of common courtesy would have been a step up from a cold and empty letter of regret announcing the aftermath of a preventable security incident.