Every little (data breach) helps
Poor old Tesco. After posting falling profits at the end of last year, they are now the latest victim of data theft, with over 2,000 customers' Clubcard data hacked, and vouchers nicked from wide open accounts.
It has been reported that a list of 2,239 Tesco.com accounts was published on Pastebin yesterday with some customers complaining of being thrown out of their own accounts and that their vouchers have gone missing.
Tesco said that it was "urgently investigating" the situation: "We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this," Tesco said in a statement.
"We will issue replacement vouchers to the very small number who are affected."
While Tesco are coming under fire for this breach, it is probably not really Tesco’s fault. It is believed that hackers obtained username/email address and password data through other hacks, and then applied the hacked data to the Tesco's database- gaining entry to those accounts who may have used the same password/email address combination.
Trey Ford, global security strategist at Rapid7, told The Register that the breach highlighted again the danger of reusing passwords across multiple accounts.
"The attackers seem to have picked up usernames and passwords that were leaked after breaches of other, potentially unrelated organisations, and by trying them on Tesco’s site, they were able to compromise 2,239 Tesco.com customer accounts," he said.
"So far the information available indicates that the impact of this has been relatively limited – stolen vouchers – but if attackers have tried this on Tesco.com, the chances are they are also trying it on other sites too and so we may see additional fallout."
Nevertheless, customers of Tesco’s facebook page have suggested a lack of confidence in the security of Tesco.com’s online shopping portal, and that they may be turning elsewhere.
Tesco was already under data breach fire this week after accidentally emailing a list of customers who were attempting to buy a trampoline without bcc-ing the email addresses- sharing around 300 email addresses between complete strangers at any one time. One customer claimed to have received the email five times, gaining access to a list of 1500 Tesco customers’ email addresses.