Tesco Website Hack Attempt: What We Know So Far

Tesco store carpark shop logo © JuliusKielaitis Shutterstock

Tesco website and app back online, after hackers apparently attempted to ‘intefere’ with the supermarket’s website and app

Tesco on Monday confirmed that its website and app are now back up and running, after the supermarket confirmed “attempts “to interfere with our systems.”

“Our groceries website and app are back up and running, so you can now use them again as usual,” the UK’s biggest supermarket chain tweeted on Sunday evening. “We’re really sorry for any inconvenience while we were trying to restore service.”

The outage for Tesco began on late Friday, early Saturday, and lasted through to Sunday evening, meaning shoppers were unable to order goods and track deliveries during that period.

Systems ‘interference’

Tesco has sought to reassure customers that their data has not been impacted, after it admitted there had been attempts to access its systems.

“There is no reason to believe that this issue impacts customer data and we continue to take ongoing action to make sure all data stays safe,” a Tesco spokesperson told the BBC.

“Since yesterday, we’ve been experiencing disruption to our online grocery website and app,” the spokesperson reportedly said.

“An attempt was made to interfere with our systems which has caused problems with the search function on the site,” the spokesperson added. “We’re working hard to fully restore all services and apologise for the inconvenience.”

Tesco’s systems were recovered by Sunday evening, and there is no further word from the supermarket giant over the nature of the “interferance” of its systems.

Security scares

But Tesco has been in the cyber security spotlight before.

Silicon UK revealed in July 2012 that the Tesco website contained an XSS flaw, which could have helped hackers hijack customer accounts by having session cookies sent to attacker-controlled servers.

In 2013 Tesco contacted the police after claims that customer accounts had been hacked and ClubCard vouchers pilfered.

But worse was to follow in February 2014, when Tesco was forced to deactivate the online accounts of 2,000 of its customers after details of their accounts were posted following a security breach of its website.

In November 2016 Tesco Bank was forced to suspend all online transactions after it found that criminals were trying to access customers’ accounts – prompting regulatory concern.

In March 2020 Tesco warned of “fraudulent activity” surrounding some account holders of its Clubcard loyalty scheme. It said that no customer’s financial data accessed, and it said it didn’t seem to be a hack of Tesco’s internal systems.

Rather, it seemed that someone stole password/username combinations from other website(s) and used them to try to access Tesco sites.

Breach risk

Security experts have warned that people’s personal data remains at risk in our increasingly online world, and said people should hand over the bare minimum of data to websites and service providers.

“While more of our daily activities feature online, our personal information will remain increasingly at risk to a data breach,” noted Jake Moore, the former Head of Digital Forensics at Dorset Police and now cybersecurity specialist at global cybersecurity firm, ESET.

“Attackers constantly target big organisations with damaging effects which can have massive impact on their customers,” said Moore. “Whether it be nefarious or otherwise, once a system goes down it can often be a long time before the full impact is seen by the organisation and their customers but we are unlikely to ever know the full details as to how it may have occurred.”

“Many data breaches are found to have stolen more information than initially thought so it is always best to err on the side of caution and change any passwords once the system allows the changes,” Moore concluded. “Furthermore, where possible it is advised to hand over the minimum amount of personal data on websites which store your information.”

Awareness training

Another security expert noted that large organisations holding personal data on its customers should be engaging in awareness building for its staff to the increasing cyber risks.

“At a time when retailers are increasingly relying on online sales, this attack will no doubt have had a significant impact on operations over the past couple of days,” said Dominic Trott, UK Product Manager at Orange Cyberdefense.

“While we have no detail about the cause of this particular incident, over the past 18 months we have seen an increase in threats against large organisations as a result of changes to the network permitter due to the adoption of flexible and remote working,” said Trott.

“Employees now hold far greater responsibility with regards to company security,” said Trott. “Their endpoint devices – such as company laptops or phones, or personal devices they connect to the corporate network – are all potential gateways for cybercriminals.”

“The human threat to cybersecurity is a risk that should be mitigated with both technology and training,” said Trott. “As the vast majority of human error is unintentional, implementing ongoing training and awareness building is a crucial tool.”

“This should include teaching employees to recognise phishing attempts and any malicious activity that may be aimed at exploiting those that may not have security front of mind,” Trott concluded. “By doing this, businesses can make employees their first line of defence when it comes to endpoint protection.”