Tesco issues 620,000 new Clubcards after data attack

4 March 2020

The supermarket believes hackers used stolen usernames and passwords from other websites


Tesco is reissuing 620,000 new Clubcards to customers after criminals tried to hack accounts.

The supermarket giant believes the hackers stole passwords and usernames from other websites and then tried using them to redeem vouchers.

Tesco says it has contacted 620,000 Clubcard holders who may have been affected by the breach.

The company says no financial data was compromised and that all affected vouchers have been cancelled.

It has apologised for the inconvenience and assured customers that no Clubcard points or vouchers will be lost.

Customers will be able to carry on using their current card until a new one is issued.

A Tesco spokesperson says: “We are aware of some fraudulent activity around the redemption of a small proportion of our customers’ Clubcard vouchers. We have strict security measures in place and our priority is protecting our customers.

“Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.

“We have asked customers affected to reset their passwords and are contacting customers whose Clubcard vouchers may have been affected to let them know that we will replace these vouchers and issue new Clubcards, as a precaution.”

Around 19 million people have a Clubcard account.

Clubcard holders were made aware of issue after they were sent an email by Tesco.


In 2014, Tesco was forced to suspend over 2,000 online shopping accounts after details were posted online.

Its banking division was also fined £16.4 million in 2018 after a cyber attack that saw £2.26 million stolen from customers in 48 hours.

Tesco Clubcard was first launched in 1995 and then relaunched in 2018 with contactless cards.

With Tesco Clubcard you collect one Clubcard point for every £1 you spend in Tesco and one point for every £8 you spend everywhere else. The points can be turned into vouchers, so 150 points are worth £1.50.

What can you do?

Experts believe that incidents like this are exacerbated by users using the same log-in for multiple accounts.

Make sure you change the passwords on all your accounts. Be sure to use a strong password that is unique and contains letters, numbers and symbols.

Stewart Room, head of data protection and cybersecurity at multinational law firm DWF, says: “This breach is about the balancing act between security and convenience and highlights the dangers of relying on passwords as a single form of authentication. 

“This incident should be a lesson for customers to not use the same password for multiple accounts. If cyber criminals manage to use stolen credentials once, in all likelihood they'll be trying the credentials on other sites too.”

If you are worried that your email has been compromised, you can check on the website haveibeenpawned.com.


Tesco Clubcard vouchers

I've had my vouchers cashed in store in an area of London I hadn't visited in ages. I contacted Tesco by phone and asked how this could have happened when you are not supposed to be able to cash a voucher without presenting the matching Clubcard instore at the point of sale. They admitted that their systems did not enforce this requirement. Doesn't equate with their statement about having "strict security measures in place" ..... They reimbursed the points to my account but declined to access the cctv footage of the person in the Ealing branch who cashed in my vouchers, despite having the date, place and time of the offence.

Add new comment