Tesco Warns 600,000 Clubcard Holders Of Fraud

Tesco has warned of “fraudulent activity” surrounding some account holders of its Clubcard loyalty scheme.

The supermarket said that no customer’s financial data accessed, and it doesn’t seem to be a hack of Tesco’s internal systems. Rather, it seems that someone stole password/username combinations from other website(s) and used them to try to access Tesco sites.

Password reuse is a common security vulnerability. This Tesco compromise reinforces the importance of changing passwords for different online services and websites.

Account compromise

Tesco will reportedly issue 600,000 new Clubcards to customers, although the stolen information has been utilised in order to try to gain access to up to 620,000 Clubcard accounts in total.

News of the problem arose when Clubcard account holders were sent an email by Tesco to make them aware of the issue.

Tesco has reportedly cancelled all affected vouchers, and it has assured customers that no Clubcard points will be lost and new vouchers will be issued.

Tesco’s loyalty scheme offers members one point for every pound spent, and every 100 points earned is worth £1 in in-store credit.

“We are aware of some fraudulent activity around the redemption of a small proportion of our customers’ Clubcard vouchers,” Tesco was quoted by ITV News as saying in a statement.

“We have strict security measures in place and our priority is protecting our customers,” Tesco reportedly said. “Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.”

“At no point was any customer’s financial data accessed,” the supermarket said. “We believe that someone has stolen password/username combinations from other website(s) and used them to try to access Tesco sites – where customers used the same username and password.”

2We have asked customers affected to reset their passwords and are contacting customers whose Clubcard vouchers may have been affected to let them know that we will replace these vouchers and issue new Clubcards, as a precaution,” it said.

“We are sorry for any inconvenience this may cause,” Tesco concluded.

Previous scares

This is not the first time that there has been a security scare involving Tesco’s Clubcard.

In 2013 Tesco contacted the police after claims that customer accounts had been hacked and ClubCard vouchers pilfered.

Customers had complained vouchers had gone missing from their rewards accounts. Reports at the time indicated vouchers worth hundreds of pounds had been stolen from those shoppers who had stored up their rewards.

Silicon UK also revealed in July 2012 that the Tesco website contained an XSS flaw, which could have helped hackers hijack customer accounts by having session cookies sent to attacker-controlled servers.

In 2014 Tesco was forced to deactivate the online accounts of several thousand of its customers after details of their accounts were posted following a security breach of its website.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

2 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

2 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

2 days ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

2 days ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

2 days ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

2 days ago