Luxury spa with Winnipeg location says customer data compromised in security breach

A Quebec-based luxury spa owner says a data breach may have affected customers who recently bought gift certificates on its platform.

Groupe Nordik, which operates three spa locations in Quebec, Winnipeg and Whitby, Ont., says they became aware of suspicious activity on their gift certificate system in late February and that credit card information may have been compromised.

In a letter sent to affected customers, the company says the breach included “access to your personal information by a non-authorized third party, from November 4, 2022, to February 27, 2023.”

The company says after learning of the breach they immediately shut down the system and hired a third-party cyber security firm to investigate.

“We have since enhanced security measures on all Groupe Nordik systems, including the gift certificate system, and will continue to work with the cyber security firm to maximize the protection of our client’s data,” the company said in a statement to CityNews. “We have asked our customers to stay vigilant and report any suspicious activity to local authorities.”

A number of affected customers took to social media, claiming hundreds of dollars had been charged to their credit cards for Uber and food delivery services.

"Last week someone other than her started charging things to uber using her credit card info. She is really careful with her cards. They charged ~ $700 on Uber before she could cancel her card with the Bank… Nordik info leak is pretty severe." https://t.co/uz4pNRPx3x #ottnews https://t.co/XpiF8CqS9t

— Greg Macdougall (@GregEqEd) April 5, 2023

Last October, the spa was forced to close its Whitby location for almost a month after more than two dozen customers became ill after staph bacteria was found in a saltwater pool shortly after its grand opening. A lawsuit on behalf of 72 plaintiffs has been filed seeking $5 million from the Quebec-based spa group.