Boots Advantage Card and Tesco Clubcard customers targeted by hackers

Data Leak Lawyers - Begin Your Data Breach Claim Today!

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Boots Advantage Card and Tesco Clubcard customers targeted by hackers

We’re only in March, and we’ve already seen LOQBOX hacked, MGM breached, and Travelex held to ransom this year. Now, Boots Advantage Card and Tesco Clubcard customers have been targeted by hackers too.

Warnings have been issued by both retailers, and Boots has suspended people being able to use loyalty points for payments. Around 600,000 Tesco Clubcard customers are thought to have been targeted, and it may be the same hackers behind the attacks.

It’s important to point out that neither Boots nor Tesco’s systems have been compromised, according to their communication. This appears to be a case of hackers using information stolen from separate hacks to then try and break into Boots and Tesco customer accounts. This is precisely why we point out that even small attacks can lead to wider problems, and why people should never use the same login credentials across multiple platforms.

Boots Advantage Card and Tesco Clubcard customers hit with cyberattacks

Hundreds of thousands of Boots Advantage Card and Tesco Clubcard customers collectively could be at risk from criminals who may be trying to use stolen credentials to steal loyalty points.

Security systems for both retailers are understood to have identified the attempts to break into accounts, and customers are being warned to stay vigilant. It appears that hackers may be using stolen credentials from external hacks to break into accounts and then commit fraud and theft using compromised accounts.

A statement from Boots, who believe less than 1% of customers have been potentially affected (which could be fewer than 150,000 people), said:

“We are writing to customers if we believe that their account has been affected, and if their Boots Advantage Card points have been used fraudulently we will, of course, replace them. We would like to reassure our customers that these details were not obtained from Boots”.

A spokesperson for Tesco said:

“We are aware of some fraudulent activity around the redemption of a small proportion of our customers’ Clubcard vouchers. Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.”

How these attacks take place

There have been so many cyberattacks in the last few years, with billions of records compromised worldwide. All it can take is a username and even a hashed or partially encrypted password to use software to then compromise login credentials.

If one person is affected by more than one attack, and more bits of stolen data is pieced together, the risks can be greater. If someone has used the same password for two websites, each of which has a partially encrypted password with different letters compromised, you can see how hackers can string the data together.

Hackers can also use brute force attacks with software to try and guess common passwords being used against lists of email addresses that are being used as usernames. If any passwords are just words or place names, they could be compromised.

It appears in the Boots Advantage Card and Tesco Clubcard case, this is the kind of attack that has been taking place. Security systems can identify these kinds of attacks when unusual activity is flagged on a large number of accounts in a short space of time, which highlights the importance for organisations to have adequate security measures in place.

2020 so far…

The Boots Advantage Card and Tesco Clubcard incidents follow a string of other cybersecurity incidents that have taken place in 2020.

And we’re only just in the third month of the year!

We’ve seen the LOQBOX data breach break over last weekend, and MGM Resorts confirm news of a significant data breach affecting some 10.6 million former guests. In January, it was reported that Travelex was being held to ransom after its systems were locked down by hackers who demanded a fee for release of the captured systems.

Once again, we’re seeing that cybersecurity data breaches will not stop. People must take care and must make sure that they take steps to protect themselves by not re-using login credentials across multiple platforms and using strong passwords. People need to be vigilant and keep an eye on online accounts for unusual activity, and organisations around the world must do all they can to secure their servers and systems.

The content of this post/page was considered accurate at the time of the original posting and/or at the time of any posted revision. The content of this page may, therefore, be out of date. The information contained within this page does not constitute legal advice. Any reliance you place on the information contained within this page is done so at your own risk.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy
Contact is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon