Tesco, Deliveroo and McDonald’s customer data for sale on the dark web

LaToya Harding
·4-min read
Cybercriminal creating malicious software, typing on laptop keypad, closeup
A seller was offering Tesco's accounts in 2,000 blocks and based on Which?’s calculations, the individual accounts were being sold for around 42p. Photo: Getty

Cybercriminals are advertising personal consumer data on the dark web, with vast databases of stolen details offered for just a few pounds a time, new data has revealed.

According to a Which? investigation, thousands of Tesco (TSCO.L) Clubcard accounts were amongst those marketed by fraudsters, as well as Deliveroo and McDonalds (MCD) customers.

Which? worked with security specialists Red Maple Technologies in October last year to investigate the kind of personal data that is advertised for sale on both the open internet and the dark web — a hidden part of the web that can only be accessed using special tools.

The investigation found information that could be used to clone identities and passwords to online services including food delivery platforms.

One seller claimed to have data that included “Tesco accounts with usernames, passwords and loyalty card balances.”

READ MORE: JPMorgan to launch UK digital consumer bank

The seller was offering the accounts in 2,000 blocks and based on Which?’s calculations, the individual accounts were being sold for around 42p ($0.58).

They claimed to have hundreds of thousands of Clubcard accounts for sale in total, although Which? could not verify this as it did not purchase the stolen data, it said.

Last year Tesco reported that a database of usernames and passwords stolen from other websites had been used to try to access Clubcard accounts and customer vouchers.

The supermarket giant said at the time that no financial data was accessed and its systems had not been compromised. However, after Which? searched through dark web marketplaces for hacked accounts, it found examples that included data claiming to be from Tesco.

WATCH: Five must-do’s for computer security

Researchers also found Deliveroo accounts being advertised for sale on dark web markets for just £4.30 as consumer numbers have increased during the COVID-19 crisis.

Which? also found “My McDonald’s” accounts marketed for sale on the dark web, along with instructions on how to use them with the mobile app.

The instructions advise someone to go to a McDonald’s restaurant, make their order through the compromised account, and then pick it up, Which? said. The stolen account can cost just a few pounds, but could result in an order of more than £30.

Which? warned that companies should take “more robust action to prevent data breaches happening in the first place” and that its strongly considers adding security protections such as two-factor authentication to reduce the chance of criminal activity.

READ MORE: Tesco Bank cancels credit cards of customers amid fraud scare

Kate Bevan, computing editor at Which?, said: “The ICO must be prepared to issue heavy fines against companies that leave customers’ personal data exposed to cybercriminals and breach data protection law, so that they are incentivised to prevent breaches.”

“Which? is also calling for consumers to have an easier route to redress when they suffer from data breaches. The government must allow for an opt-out collective redress regime which would mean that affected victims would be automatically included in the action and be represented by a body bringing the claim on behalf of those affected.”

The consumer group advised customers that they should always protect their data by setting strong passwords — including different ones across various accounts.

People can also use a password manager and two-factor authentication (2FA) whenever possible to help prevent fraud, as well as not saving card details or using a guest checkout online.

READ MORE: Money scams rise in UK as fraudsters exploit COVID-19 pandemic

Deliveroo responded by saying that it “takes online security extremely seriously” and that it is working to help protect customers against unauthorised logins by cyber criminals.

“We have strict and robust anti-fraud measures in place to combat fraudsters and to track patterns of criminal activity and to block fraudsters. We also partner with anti-fraud companies to address misuse of card information and we regularly remind customers to use new, strong, unique passwords to protect their Deliveroo accounts,” it said.

Meanwhile, a Tesco spokesperson said: “Over the past year we’ve introduced additional measures to better protect customer accounts, after we became aware of some fraudulent activity around the redemption of a small proportion of our customers’ Clubcard vouchers in March last year.

“Our priority is protecting our customers and we have strict security measures in place, and at no point was any customer’s financial data accessed.”

McDonalds confirmed it also had measures in place to mitigate any breaches, including bot protection, device identification and additional fraud detection software.

WATCH: Why can't governments just print more money?