Has Tesco been hacked? Shoppers claim Clubcard vouchers stolen
Tesco customers are complaining that their Clubcard reward scheme points are being stolen from their accounts by thieves, who may have access to customer information.
According to visitors to the Money Saving Expert forum, Clubcard users have been logging in to their accounts online hoping to pay for their shopping or claim rewards only to find their accounts emptied.
The first report was in December '12, from ‘Pawan’: “We logged on this month to find that £160 of vouchers that we were hoping to use at Christmas had been stolen (ie spent) from our clubcard account. It had been spent in two stores in London, miles away from where we live.”
Since then more have joined in with similar stories: large numbers of points missing, spent in multiple stores sometimes many miles from their home.
At least one involves a Tesco credit card, with the victim warning that customer services said they could not guarantee that the credit card data had not also been exposed. In a few cases users have been unable to login to their account because the registered email address was changed.
Upon reporting the loss to customer services many have been told that it must have been themselves or a family member who spent the vouchers, that their computer settings are to blame or even, according to one victim, that BT was at fault because two people had a similar email address.
While BT may be to blame for many things, pinning stolen Clubcard points on them is perhaps a step too far.
But if the reports on MSE are accurate there may be something more going on than just a phishing scam or weak online security.
Tesco policy requires the Clubcard to be presented in order for vouchers to be used in-store however it seems that the fraudsters may have a way to clone them, perhaps even without access to the original card. As one person said: “Tesco are continuing to say that, as the vouchers were used with a clubcard, I must have spent them. The particular unused clubcard is in my possession, together with keyfobs, still attached to the letter they sent me in 2008.”
Also concerning is most of the complaints seem to involve large amounts of £150 or more which suggests someone is deliberately targeting customers with significant voucher savings, indicating that they have access to customer data.
We’ve reached out to Tesco for comment but at the time of writing received no response.
If you’ve been affected you should immediately speak to Tesco, however many customers have found they only received a refund after reporting it as a crime and giving Tesco the crime number. It’s also important that you submit it to the Police Action Fraud site, and you might want to chime in on the MSE forum thread.
In the meantime, Clubcard customers should keep a close eye on their account activity. It would also be a good idea to strengthen your online security by changing passwords and running regular anti-virus scans, and as always check those emails carefully before clicking.
UPDATE: Tesco has issued the following statement about these allegations.
“We have launched a thorough investigation into a small number of incidents and referred the matter to the police. In the meantime, we’d like to ask any customers who believe they’re affected to contact us directly so that we can make sure their accounts are up to date."
Customers can call on 0800 591 688.