Tesco is to reissue 620,000 Clubcards after fraudulent activity left customer information exposed.

The retailer emailed Clubcard members yesterday to explain that hackers were believed to have stolen username and passwords from another website and attempted to use the same details to access Tesco sites.

The incident involved the redemption of a small proportion of customers’ Clubcard vouchers. No financial details were disclosed in the potential breach, but the clubcards are to re-issued as a precaution.

A Tesco spokesperson said: “We are aware of some fraudulent activity around the redemption of a small proportion of our customers’ Clubcard vouchers, we have strict security measures in place and our priority is protecting our customers.”

The company said the attempted breach was picked up quickly by its internal systems and they took immediate steps to protect customer data and restrict access to accounts.

The company apologised for any inconvenience caused and added: “We have asked customers affected to reset their passwords and are contacting customers whose Clubcard vouchers may have been affected to let them know that we will replace these vouchers and issue new Clubcards, as a precaution.”

Paul Bischoff, privacy advocate at Comparitech, commented that this attack is known as credential stuffing, where hackers attempt to log into accounts using usernames and passwords leaked from previous, unrelated data breaches and other sources.

“The attack demonstrates why customers should never reuse passwords across multiple accounts – if one account is compromised, criminals will attempt to reuse the same usernames and passwords on other accounts.

“There’s little Tesco could do to stop such an attack other than offer users two-factor authentication and limiting the number of login attempts, two-factor authentication would require customers enter a one-time PIN number sent via SMS, email, or authenticator app whenever logging in from a new device.”

Share Story: