Tesco sends security warning to 600,000 Clubcard holders

Image source, Getty Images

  • Author, Zoe Kleinman
  • Role, Technology reporter, 大象传媒 News

Tesco is issuing new cards to 600,000 Clubcard account holders after unearthing a security issue.

The supermarket giant said it believed a database of stolen usernames and passwords from other platforms had been tried out on its websites, and may have worked in some cases.

No financial data was accessed and its systems have not been hacked, it added.

It said this was a precautionary measure and apologised for the inconvenience.

"We are aware of some fraudulent activity around the redemption of a small proportion of our customers' Clubcard vouchers," a Tesco spokesperson said.

"Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts."

The supermarket said it had emailed everybody potentially affected, that nobody would lose their points and new vouchers would also be issued.

One of those who received an email was Josh, who works in IT.

"The email was very ambiguous," he said.

"I thought it was because I'd just used a new bank card. I didn't realise it was actually my account details that could have been compromised.

"It worried me - I feel better now it's been clarified."

Others responded in good humour on social media, questioning how much their points would actually be worth to a hacker.

The UK loyalty scheme offers one point for every pound spent in store. Every 100 points are worth 拢1.

The 大象传媒 understands about 19 million people have a Clubcard account.

Skip Twitter content
Allow Twitter content?

This article contains content provided by Twitter. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. You may want to read Twitter and before accepting. To view this content choose 'accept and continue'.

Warning: Third party content may contain adverts

End of Twitter content

Jake Moore, cyber-security specialist at the firm Eset, told the 大象传媒 plenty of people still use simple passwords or similar log-ins for many different platforms.

"Cyber-criminals can do a lot of damage with a large breached list simply containing names and emails or other trivial data," he said.

"The big risk is via brute force attacking the accounts where criminals use leaked common password combinations against the emails to try to break into other personal accounts."

Mr Moore suggested using password managers to generate and store uniquely different passwords, and two factor authentication where possible - in which a text message or email code is required as well as the password.