U.K. supermarket giant Tesco has recently warned its loyalty program members of a security incident that may have affected over 600,000 Clubcard holders.
“We are aware of some fraudulent activity around the redemption of a small proportion of our customer’s Clubcard vouchers,” said a Tesco representative. “Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.”
The supermarket chain believes fraudulent activity in customers’ accounts was possible due to older data breaches and leaks, and that the attackers accessed the accounts using login credentials stolen from other websites. This is not hard to believe, since shoppers often use the same username and password for more than one online account.
Customers quickly reacted on Twitter, posting screenshots of the notification email. A snippet of the official message reads: “We recently became aware of some fraudulent activity on your Clubcard account, which included an attempt to access your Clubcard vouchers. We picked this up quickly, and to be on the safe side, blocked your account immediately.”
After apologizing for any inconvenience, Tesco said no loyalty point will be lost and that the company will issue new cards for affected members. Most importantly, it emphasized that no financial data was accessed, and, as an additional security measure, customers will be asked to reset their account passwords.
This is not the first security incident to affect the company. In 2016, Tesco Bank fell victim to a cyber attack that targeted the financial information of debit card holders. Threat actors from Brazil stole over £2 million from 8,261 customer accounts. The attack resulted in a fine of over £16 million from the UK’s Financial Conduct Authority (FCA).
The most recent threat should serve to remind us of the importance of not recycling old passwords, and that the effects of data breaches never really end. Loyalty programs pose a rich target for cyber criminals. The most popular strategy for reward program fraud is credential stuffing, meaning that the attacker inputs user credentials exposed in previous breaches. If credentials are not up for grabs on the dark web, scammers use other nefarious methods such as phishing emails. You might not suspect that criminals crave loyalty benefits and vouchers, but they are becoming increasingly lucrative as more and more companies create reward memberships to keep customer attrition.
According to Forter, loyalty program fraud has increased by 89% over the last year, with total losses estimated at $1 billion. The next time you sign up for a new loyalty program, avoid re-using an old or existing password and enable a multi-factor and two-factor authentication method. Of course, don’t forget that a local security solution is the first line of defense when it comes to securing your online activity and protecting yourself from malware attacks.