Tesco Clubcard owners warned over data security concern

Tesco, British supermarket chain, send a warning to 600,000 loyalty card members over a potential data breach of Clubcard usernames and passwords.

Tesco Clubcard holders received an email from the supermarket notifying them of a possible security issue. The loyalty scheme which has come under attack allows users to build up points to earn rewards, being awarded one point for every pound spent.

After discovering the potential data breach, a Tesco spokesperson said: "We are aware of some fraudulent activity around the redemption of a small proportion of our customers' Clubcard vouchers". There are approximately 19 million Clubcard holders.

Tesco suggest hackers gained access to users accounts through a list of stolen usernames and passwords, where people have used the same details across different sites. It was thought that the fraudsters tried to get into Tesco sites to redeem shoppers vouchers.

The spokesperson reassured consumers: "We have strict security measures in place and our priority is protecting our customers. Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts."

They advise the following precautions in the wake of this breach:

    • Customers should reset their passwords
    • Customers should let Tesco know if any of their vouchers have been affected, so they can be reimbursed accordingly
    • New replacement Clubcards will be issued, just to be on the safe side

Customers can contact Tesco customer services on 0800 50 5555, with any remaining concerns. The supermarket also has a 'stay safe online' section on their website.

Consumer privacy expert at Comparitech, Paul Bischoff, told teiss that this specific cyber-attack is known as credential stuffing. He explains: "In this attack, hackers attempt to log into accounts using usernames and passwords leaked from previous, unrelated data breaches and other sources".

And what can we learn from this particular incident? Paul says: "The attack demonstrates why customers should never reuse passwords across multiple accounts.

"If one account is compromised, criminals will attempt to reuse the same usernames and passwords on other accounts. This process is usually automated so that attackers can attempt hundreds of thousands of logins in a very short time.

"There's little Tesco could do to stop such an attack other than offer users two-factor authentication and limiting the number of login attempts. Two-factor authentication would require customers enter a one-time PIN number sent via SMS, email, or authenticator app whenever logging in from a new device".

You may be wondering what's actually at stake when it comes to stolen or compromised loyalty points? Michael Reitblat, CEO and Co-Founder of Forter, explains: "Reward points are a currency as valuable and untraceable as cash, and fraudulent activity in these accounts causes damage to brand reputation and significant monetary losses to merchants".

He cautions: "Loyalty program accounts are low hanging fruit for fraudsters, with loyalty program fraud rising 89% year on year".

Tesco reported the incident to the Information Commissioner’s Office (ICO), but are confident that no financial data was compromised. They apologised for the inconvenience.