Supermarket giant Tesco has issued new Clubcards to more than 600,000 of its customers after discovering a potential security concern with its systems.
It is believed that a database containing usernames and passwords stolen from separate websites had been ‘tested’ for login attempts, in some cases successfully.
The company said that no important data such as credit card numbers or Clubcard points were stolen, and that customers have been contacted informing them to immediately change account passwords to something more secure.
A Tesco spokesperson said: “We are aware of some fraudulent activity around the redemption of a small proportion of our customers’ Clubcard vouchers.
“We have strict security measures in place and our priority is protecting our customers. Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts. At no point was any customer’s financial data accessed.
“We have asked customers affected to reset their passwords and are contacting customers whose Clubcard vouchers may have been affected to let them know that we will replace these vouchers and issue new Clubcards as a precaution. We are sorry for any inconvenience this may cause.”
This latest incident raises questions around the tendency to use the same usernames and passwords across several accounts online. It highlights the need to use variety in passwords, or hackers can utilise login information databases sold online to access secondary accounts.
Data has shown that, in 2019, 90% of all data breaches were caused by human error. As hackers become more sophisticated, consumers are increasingly at risk of simple usernames and passwords becoming prime targets for attacks.
- Decoy Website Used to Fool Hackers into Sharing Tactics
- Teesside Council Continues to Suffer Three-week Ransomware Attack
- Security Threats at More Than 76,000 British Organisations Revealed
CEO of CybSafe, Oz Alashe, commented: “As this analysis shows, it’s almost always human error that enables attackers to access encrypted channels and sensitive information.
“As for lessons learned, there’s a lot to take away from these figures. As a nation, we can’t begin to address cyber risk if we only concentrate on technical threats.
“The human side of the equation is so important. Simple attacks, especially social engineering attacks, continue to dominate the threat landscape. And it’s hard to see that situation changing significantly in the next few years.”
This latest security concern also highlights whether businesses in the UK are doing enough to protect customers from potential attacks.
“With end-user mistakes often being either a cause or catalyst in the majority of breaches,” Alashe added. “British businesses and public sector organisations need to be asking whether they’re doing enough to minimise that risk. Are they doing anything at all and, if they are, is it really making a difference?”