Tesco Warns 600,000 Clubcard Holders Of Fraud

Tesco store carpark shop logo © JuliusKielaitis Shutterstock

Supermarket is issuing new cards to 600,000 Clubcard account holders after discovering some accounts had been compromised

Tesco has warned of “fraudulent activity” surrounding some account holders of its Clubcard loyalty scheme.

The supermarket said that no customer’s financial data accessed, and it doesn’t seem to be a hack of Tesco’s internal systems. Rather, it seems that someone stole password/username combinations from other website(s) and used them to try to access Tesco sites.

Password reuse is a common security vulnerability. This Tesco compromise reinforces the importance of changing passwords for different online services and websites.

Account compromise

Tesco will reportedly issue 600,000 new Clubcards to customers, although the stolen information has been utilised in order to try to gain access to up to 620,000 Clubcard accounts in total.

News of the problem arose when Clubcard account holders were sent an email by Tesco to make them aware of the issue.

Tesco has reportedly cancelled all affected vouchers, and it has assured customers that no Clubcard points will be lost and new vouchers will be issued.

Tesco’s loyalty scheme offers members one point for every pound spent, and every 100 points earned is worth £1 in in-store credit.

“We are aware of some fraudulent activity around the redemption of a small proportion of our customers’ Clubcard vouchers,” Tesco was quoted by ITV News as saying in a statement.

“We have strict security measures in place and our priority is protecting our customers,” Tesco reportedly said. “Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.”

“At no point was any customer’s financial data accessed,” the supermarket said. “We believe that someone has stolen password/username combinations from other website(s) and used them to try to access Tesco sites – where customers used the same username and password.”

2We have asked customers affected to reset their passwords and are contacting customers whose Clubcard vouchers may have been affected to let them know that we will replace these vouchers and issue new Clubcards, as a precaution,” it said.

“We are sorry for any inconvenience this may cause,” Tesco concluded.

Previous scares

This is not the first time that there has been a security scare involving Tesco’s Clubcard.

In 2013 Tesco contacted the police after claims that customer accounts had been hacked and ClubCard vouchers pilfered.

Customers had complained vouchers had gone missing from their rewards accounts. Reports at the time indicated vouchers worth hundreds of pounds had been stolen from those shoppers who had stored up their rewards.

Silicon UK also revealed in July 2012 that the Tesco website contained an XSS flaw, which could have helped hackers hijack customer accounts by having session cookies sent to attacker-controlled servers.

In 2014 Tesco was forced to deactivate the online accounts of several thousand of its customers after details of their accounts were posted following a security breach of its website.

Do you know all about security? Try our quiz!