Novo Nordisk Canada Inc.
The Organization contracts with Limeade, a third party service provider, to offer the NovoHealth platform to employees.
The platform allows employees to track activities to earn rewards in the form of gift cards.
In late September 2020, Limeade discovered a third party used automated means to guess usernames and passwords to gain unauthorized access to end users’ accounts. Limeade made product changes and the suspicious activity subsided.
In November 2020, Limeade became aware of some atypical email resets, user accounts unexpectedly ?leveling up,? and anomalies in gift card redemptions.
Gift card rewards were sent to fraudulently created email accounts and cashed in by the unknown third party. In some cases, gift card codes were fraudulently obtained from the user account directly upon a ?level up.? Limeade?s ongoing monitoring detected continued attempts to access accounts by validating usernames and passwords in January and February 2021. Some accounts were re-compromised. Limeade reset the passwords again.