A Wisconsin man and his wife have been charged with stealing nearly $100,000 worth of Kohl’s Cash from unsuspecting Kohl’s shoppers – and are suspected of stealing an untold amount of customer rewards from more than a dozen other retailers as well – in order to sell them all online at half price.
Federal prosecutors have charged Robert and Diana Gordon of Weston, Wisconsin with identity theft and fraud, in connection with a scheme to hack into retailers’ websites with customers’ login information, to steal any loyalty rewards they had earned. The two are accused of using some of the rewards for themselves, and selling the rest – not on the black market or the dark web, but right out in the open, on Twitter.
In a newly-unsealed criminal complaint, prosecutors say Kohl’s alerted them to the scam after receiving a note from a tipster. “This account @OfficialJigLord steals customers’ info and sells their Kohl’s Cash on Twitter,” the tipster said. “Just check out his tweets and you will see for yourself.”
And sure enough, that Twitter account openly discussed having customer rewards to sell, from retailers including Kohl’s, American Eagle, Chick-fil-A, Qdoba, ULTA, Chipotle, Starbucks, Shell, Bath & Body Works, IHOP, Panera Bread and more. The account instructed followers how to purchase the rewards for their own use, and even invited satisfied customers to tag the account in posts announcing their success using the rewards they purchased.
And several users did. “How can I repay you, honestly?” one customer wrote. “Life will never be the same,” another gushed. “Y’all go follow @OfficialJigLord ASAP if you don’t like paying full price,” a third user advised others.
Kohl’s Cash, which customers earn by making purchases and can be used for cash off future purchases, were sold to Twitter followers at 50% of their face value. “For instance, you spend $50 to get $100, or $250 to get $500,” the account’s how-to guide explained.
Prosecutors say Kohl’s identified the Twitter account as belonging to Robert Gordon, a Staff Sergeant and active reserve member of the U.S. Army. His wife Diana is also a member of the Army Reserve. When they weren’t selling Kohl’s Cash and other customer rewards, prosecutors say, they were using them for themselves.
Over a nine-month period beginning last year, the criminal complaint says approximately 68 orders were submitted to Kohl’s website, “with account information listing Robert Gordon or Diana Gordon… The purchasers used approximately 200 different Kohl’s Cash certificates, with a total value over $10,000, originally issued to other people.”
The criminal complaint says some orders were delivered to the Gordons’ home, while others were picked up in a local store. In one case, Robert Gordon is accused of making a nearly $300 purchase online using Kohl’s Cash certificates belonging to at least four different Kohl’s customers, then going to the store to pick up his order – wearing his military fatigues.
Prosecutors say nearly $90,000 worth of Kohl’s Cash that the Gordons didn’t use for themselves, were offered for sale online. The @OfficialJigLord Twitter account even posted photos showing exactly how it was all done. The photos showed a computer that appeared to be automatically running a script, rapidly trying different combinations of user names and passwords in an apparent attempt to access customers’ accounts.
Prosecutors say Kohl’s traced the IP address of Gordon’s computer, and found that “several thousand login attempts to Kohl’s webstore were made from that IP address. The login attempts used different, unique usernames and passwords to try to access the website,” the criminal complaint explained. “A small percentage of the login attempts were successful and Kohl’s Cash certificates and their corresponding information (bar number, PIN number, etc.) was exfiltrated from the user’s account.”
This indicated to investigators that the computer was using “a database of email addresses and passwords, possibly stolen from another source such as a business or email provider, and was bombarding Kohl’s website with these credentials to steal any Kohl’s Cash from accounts that had the same username and password for their Kohl’s account that was in the larger database.”
This is precisely why security experts say you should never use the same password for multiple accounts. If there’s a security breach and hackers gain access to a list of logins and passwords for one website, they can try those login credentials on an endless number of other websites, looking for a match. If they find one, they can gain access to your account and quickly drain whatever cash balance or customer rewards you have saved there.
It’s the same kind of scam that led to several Ibotta users’ accounts being emptied several years ago. Fraudsters have also grown adept at letting computers do the work for them, automatically making thousands of login attempts, just as the Gordons are accused of doing. It happened to Staples a few years ago, and has even happened to Kohl’s before.
The Gordons have been released from federal custody ahead of their next court appearance next week. If convicted, they face up to 20 years imprisonment on the most serious charge of wire fraud, a maximum $250,000 fine, and potential restitution to Kohl’s, which says it has reimbursed customers who discovered their Kohl’s Cash had been stolen . There’s no word yet whether the Gordons may face any additional charges for allegedly targeting other retailers’ rewards programs, or whether their customers could be in trouble for purchasing stolen property.
In the meantime, you might want to log in to your Kohl’s account to make sure any Kohl’s Cash you’ve earned is still there. And if it is, it can’t hurt to change your password – just to make sure the rewards you’ve earned, don’t end up for sale to someone else in the future.
