SecurityWorkspace

Tesco Brings In Police Over ClubCard Hack

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Tesco in security hot water again as ClubCard vouchers go missing

Tesco has contacted the police after claims customer accounts had been hacked and ClubCard vouchers pilfered.

Customers complained vouchers had gone missing from their rewards accounts. Reports indicated vouchers worth hundreds of pounds had been stolen from those shoppers who had stored up their rewards.

It remains unclear what kind of breach may have taken place and Tesco is keeping schtum on the details.

Tesco store shop logo © JuliusKielaitis ShutterstockTesco initiates investigation

“We have launched a thorough investigation into a small number of incidents and referred the matter to the police,” a Tesco spokesperson said, in an emailed statement sent to TechWeekEurope.

“In the meantime, we’d like to ask any customers who believe they’re affected to contact us directly so that we can make sure their accounts are up to date.”

The incident will do little to appease those frustrated with Tesco security. Last year, security researcher Troy Hunt brought to light various issues with the supermarket giant’s security, most notably that it was sending user passwords in plain text, indicating it wasn’t using proper hashing or other encryption methods to protect user logins.

TechWeekEurope also revealed in July the Tesco website contained an XSS flaw, which could have helped hackers hijack customer accounts by having session cookies sent to attacker-controlled servers.

There were a host of other potential security problems with the site, but Tesco decided to remain quiet on the issue, without getting rid of any of the flaws for months. Eventually, in September, Tesco fixed the password problem but left the XSS flaw open. That has now been fixed too.

Are you a security expert? Try our quiz!