U.K. supermarket giant Tesco has recently warned its loyalty
program members of a security incident that may have affected over 600,000
Clubcard holders.
“We are aware of some fraudulent activity around the redemption
of a small proportion of our customer’s Clubcard vouchers,” said a Tesco
representative. “Our internal systems picked this up quickly and we immediately
took steps to protect our customers and restrict access to their accounts.”
The supermarket chain believes fraudulent activity in customers’
accounts was possible due to older data breaches and leaks, and that the
attackers accessed the accounts using login credentials stolen from other
websites. This is not hard to believe, since shoppers often use the same
username and password for more than one online account.
Customers quickly reacted on Twitter, posting screenshots of the notification email. A snippet of the official message reads: “We recently became aware of some fraudulent activity on your Clubcard account, which included an attempt to access your Clubcard vouchers. We picked this up quickly, and to be on the safe side, blocked your account immediately.”
After apologizing for any inconvenience, Tesco said no loyalty
point will be lost and that the company will issue new cards for affected
members. Most importantly, it emphasized that no financial data was accessed,
and, as an additional security measure, customers will be asked to reset their
account passwords.
This is not the first security incident to affect the company. In
2016, Tesco Bank fell victim to a cyber attack that targeted the financial information
of debit card holders. Threat actors from Brazil stole over £2 million from 8,261customer
accounts. The attack resulted in a fine of over £16 million from the UK’s Financial
Conduct Authority (FCA).
The most recent threat should serve to remind us of the importance of not recycling old passwords, and that the effects of data breaches never really end. Loyalty programs pose a rich target for cyber criminals. The most popular strategy for reward program fraud is credential stuffing, meaning that the attacker inputs user credentials exposed in previous breaches. If credentials are not up for grabs on the dark web, scammers use other nefarious methods such as phishing emails. You might not suspect that criminals crave loyalty benefits and vouchers, but they are becoming increasingly lucrative as more and more companies create reward memberships to keep customer attrition.
According to Forter, loyalty program fraud has increased by 89% over the last year, with total losses estimated at $1 billion. The next time you sign up for a new loyalty program, avoid re-using an old or existing password and enable a multi-factor and two-factor authentication method. Of course, don’t forget that a local security solution is the first line of defense when it comes to securing your online activity and protecting yourself from malware attacks.