We’re only in March, and we’ve already seen LOQBOX hacked, MGM breached, and Travelex held to ransom this year. Now, Boots Advantage Card and Tesco Clubcard customers have been targeted by hackers too.
Warnings have been issued by both retailers, and Boots has suspended people being able to use loyalty points for payments. Around 600,000 Tesco Clubcard customers are thought to have been targeted, and it may be the same hackers behind the attacks.
It’s important to point out that neither Boots nor Tesco’s systems have been compromised, according to their communication. This appears to be a case of hackers using information stolen from separate hacks to then try and break into Boots and Tesco customer accounts. This is precisely why we point out that even small attacks can lead to wider problems, and why people should never use the same login credentials across multiple platforms.
Boots Advantage Card and Tesco Clubcard customers hit with cyberattacks
Hundreds of thousands of Boots Advantage Card and Tesco Clubcard customers collectively could be at risk from criminals who may be trying to use stolen credentials to steal loyalty points.
Security systems for both retailers are understood to have identified the attempts to break into accounts, and customers are being warned to stay vigilant. It appears that hackers may be using stolen credentials from external hacks to break into accounts and then commit fraud and theft using compromised accounts.
A statement from Boots, who believe less than 1% of customers have been potentially affected (which could be fewer than 150,000 people), said:
“We are writing to customers if we believe that their account has been affected, and if their Boots Advantage Card points have been used fraudulently we will, of course, replace them. We would like to reassure our customers that these details were not obtained from Boots”.
A spokesperson for Tesco said:
“We are aware of some fraudulent activity around the redemption of a small proportion of our customers’ Clubcard vouchers. Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.”
How these attacks take place
There have been so many cyberattacks in the last few years, with billions of records compromised worldwide. All it can take is a username and even a hashed or partially encrypted password to use software to then compromise login credentials.
If one person is affected by more than one attack, and more bits of stolen data is pieced together, the risks can be greater. If someone has used the same password for two websites, each of which has a partially encrypted password with different letters compromised, you can see how hackers can string the data together.
Hackers can also use brute force attacks with software to try and guess common passwords being used against lists of email addresses that are being used as usernames. If any passwords are just words or place names, they could be compromised.
It appears in the Boots Advantage Card and Tesco Clubcard case, this is the kind of attack that has been taking place. Security systems can identify these kinds of attacks when unusual activity is flagged on a large number of accounts in a short space of time, which highlights the importance for organisations to have adequate security measures in place.
2020 so far…
The Boots Advantage Card and Tesco Clubcard incidents follow a string of other cybersecurity incidents that have taken place in 2020.
And we’re only just in the third month of the year!
We’ve seen the LOQBOX data breach break over last weekend, and MGM Resorts confirm news of a significant data breach affecting some 10.6 million former guests. In January, it was reported that Travelex was being held to ransom after its systems were locked down by hackers who demanded a fee for release of the captured systems.
Once again, we’re seeing that cybersecurity data breaches will not stop. People must take care and must make sure that they take steps to protect themselves by not re-using login credentials across multiple platforms and using strong passwords. People need to be vigilant and keep an eye on online accounts for unusual activity, and organisations around the world must do all they can to secure their servers and systems.
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with an * are required.
First published by Matthew on March 05, 2020
Posted in the following categories: Cybersecurity Data Hacking News Latest Scammers Security and tagged with cyber attack | cyber crime | cybersecurity | online security | personal data | website hacked