Now MY Tesco Clubcard points get stolen!

Love Clubcard, don’t collect Avios?  You should be reading our sister site, Shopper Points (www.shopperpoints.co.uk), which covers the latest Clubcard and Nectar offers without any distracting frequent flyer talk!  Why not check it out now?

I have written a couple of pieces on Head for Points over the last year about people getting their Tesco Clubcard points stolen.  It is becoming an increasing problem.

Is it Royal Mail?  Is it Tesco employees?  It is difficult to tell.

Over the weekend I had this email from Tesco:

Dear Raffles

At Tesco we constantly monitor all of our systems and take the security of our customer’s data very seriously. Our team have noticed some irregular activity on your Tesco Clubcard account and we have cancelled all your vouchers as a precaution.

We will update your account balance accordingly within the next 48 hours and issue you with replacement vouchers in our next mailing commencing in August. However, if you wish to use your voucher(s) prior to this, please call our helpline on 0800 023 4761 who will be happy to assist. 

As part of our ongoing work to protect you online we are asking you to create a new stronger password before you log in to your Tesco.com account.

[snip]

Thank you for taking the time to read this and we would like to apologise for any inconvenience that this may have caused you, however we hope you can appreciate that we are acting to ensure your account is secure.

Kind regards,

Tesco theft

Confession time.  I have written on here before that because I use AwardWallet to track my balances, I would be informed if my points went missing.  This is incorrect.  Whilst AwardWallet DOES inform me when my current points balance moves, it does NOT inform me when my ‘unspent vouchers’ total moves.

This is because Award Wallet does not inform you about movements in ‘second-level data’ which is what this is.  You also, for example, do not get told if a BA Amex 241 voucher is added to your account even though it shows on AwardWallet.

I mention this because, when I look at my transactions, it seems that the first odd transaction happened in March and I missed it.  This is what was spent:

26 March – £xx – Andover

9 April – £xx – Prescot Extra

15 May – £xx – Aylesbury

The paper vouchers issued to me are still in my desk.  Someone had accessed my Clubcard account and printed off extra copies of some of the vouchers.  The usage pattern is a little weird, to be honest – why wait two weeks after the first transaction to do the second one (which was 10 x larger) giving me plenty of time to notice?

Tesco did a good job of spotting this fraud.

They did a bad job of explaining it to me.

If you look at the email, it implies that they spotted the fraud and refunded me.  This was not correct.  They did refund the Aylesbury transaction which is what had triggered the review.  They had NOT refunded the Prescot or Andover transactions and did not do so until I called them.  To be fair, they could not be 100% certain that I had not done these – although it is unlikely as I have never used a Tesco anywhere near there – but the email should have asked me to check my transactions.

Additionally, whilst the email asks me to change my password it was not compulsory.  You would have expected Tesco to insist on a password change at the next log-in, but it didn’t.

I have no idea how this happened.  My password was not too secure but I know people with super-tough passwords who have also been defrauded.  You could try to point the figure at AwardWallet but there are plenty of fraud cases from people who do not use them.

As these vouchers were from my February mailing, it is NOT Royal Mail as I have the vouchers.  The finger points pretty clearly to someone at Tesco.  It is worth noting that the Aylesbury voucher was used after Tesco brought in its additional security checks although it is possible it had been printed off earlier.

There is some upside though!

Tesco is going to reissue all of my vouchers in August.  This will reset the expiry date on all of them for two years!

They were also happy to let me redeem some points for Thomas Land today so I am still able to spend points even though I have no ‘live’ vouchers.  (Update: these points were deducted overnight so the redemption definitely went through.)

Tesco answered my telephone call promptly and the guy I spoke with was very efficient in looking through my account and calling back when he said he would.  They did do a good job here.

Time to tighten up security further though.  Sainsbury does not allow you to redeem Nectar points unless you have previously shopped in that store.  I don’t think it would cause much inconvenience if Tesco went the same way.

Love Clubcard, don’t collect Avios?  You should be reading our sister site, Shopper Points (www.shopperpoints.co.uk), which covers the latest Clubcard and Nectar offers without any distracting frequent flyer talk!  Why not check it out now?

United reveals its impressive lounges for Heathrow Terminal 2
Virgin launches new reward seat sale in Economy and Premium Economy
About Head for Points

We help business and leisure travellers maximise their Avios, frequent flyer miles and hotel loyalty points. Visit every day for three new articles or sign up for our FREE emails via this page or the box to your right.

Comments

  1. Just got mine today, £540, so limit is not applied in these cases.

    • I was thinking like Squills until I saw you got your £540 all back! What a great way for them to reduce the outstanding total of vouchers before they bring in a bonus! Stupid, they are not. Someone has to pay for those cc points!

  2. Raffles, your post prompted my to check my voucher usage today; sure enough, £50 spent at “GREENFORD DOT COM” which is nowhere near me, and not something I would spend it on. In common with others, it only took 10 mins on the phone to sort it out, and it was a relatively small balance shift so I hadn’t noticed it. Thanks for the post!

    • Idrive says:

      That is a Tesco online shop (when you buy online), that would mean they would have logged in with your credentials.

      Though, it could be at source level from people with permissions that do not even need to hack the logins, they might see everything in clear and with sorting ability!
      but all this about internal staff thing is a strong allegation towards a quoted company, which should do something as they are also offering also financial services!

      • The password (now changed!) was not one which I use on other sites, so if it was leaked it had to have come from Tesco.

        • Idrive says:

          A security and database expert should now how these thongs work..or reading the News.. Also remember about that bug which was revealed a few weeks ago..but mule seems to e the first choice

          • andrew s says:

            The password is almost certainly stored encrypted in a database. This is lesson one in database design and has been for 20 years. I just cannot believe that anyone inside Tesco (short of the Chief security officer) is able to gain access to a naked password.

            Even in the recent ebay breach the passwords were stolen in encrypted form, and useless for any attacker.

  3. Graeme Archer says:

    I knew that none of mine had been nicked, but I thought I’d have a look anyway – they’ve had £125.50 from me in the last 24 days! They were three online transactions with a Clubcard number attached, so the unhelpful lady on the phone reckons they can be traced – not that I’ll ever know.

    • Andrew says:

      I had my vouchers stolen a few months ago, a 4 figure amount, and i have to say Tesco were very efficient about returning the vouchers and crediting them back to my account. If Tesco don’t know why its happening, i’m surprised they haven’t called in the police etc to sort it, esp as surely the online orders or their cctv should be able to track these things, esp as it seems to be being spent in a small selection of stores. Very strange to say the least!

  4. squills says:

    It IS very strange. Tesco have so many problems at the moment, they probably don’t want to admit that when you sign up with them for Grocery deliveries etc, you risk your internet security – ie so many people use the same ID & password on multiple sites, then if Tesco is compromised, so are all your other sites.

    The fraud is so prevalent: it HAS to be an inside job by a sophisticated team.

    Tesco’s security measures are laughable. The guys who said all this 3 digit stuff is pathetic are right.
    1. You get multiple attempts to input the 3 digits
    2. You can circumvent all that by just knowing email address & password, ie just order the goods and use vouchers to pay.

  5. What's the Point says:

    Got my “letter” today. Tesco have converted £200 + back to points, but can’t see what someone has tried to use them for yet.
    Something has clearly gone majorly wrong with Tesco security measures for so many people to be targeted.

  6. Pat Bucher says:

    Just checked my account and I’ve been done again! Only a few vouchers and spent in a store in a totally different area from last time.

  7. Martin says:

    I’ve been cleaned out as well. They changed the name on my account, but not the address, so I received the clubcard statement today and noticed a) the name change, b) the almost zero balance – and they’ve spent all my vouchers 200 miles away from me in the London area – in small transactions. I think the previous posts are right, only a very small chance of an Avios bonus so far safer to auto-convert.

  8. Bialynia says:

    I feel like I might be a little naive here. When Tesco periodically send us their vouchers for discounts in store, which used to be quite good but are now pitiful (my last two batches offer money off specific items, eg. 25p or 50p, and only one voucher was was 20 bonus clubcard points if I bought some of their ‘Be Good to Yourself’ Cottage Cheese. Funny thing is, the nutritional information on the expensive ”Be Good to Yourself Cottage Cheese has the exact nutritional information to their economy Cottage Cheese brand, and I can’t taste any difference, which leads me to suspect that they are exactly the same product, in different packaging and with the economy product being MUCH cheaper, making using the 20 bonus CC points feel like a con. But, anyway, I’ve sidetracked. Every time I have used any of these promotional vouchers they have asked for my Clubcard as the promotional discounts will not be applied if the Clubcard isn’t used at the same time. When using the stolen vouchers in different stores, are the thieves not also asked for the Clubcard before they can cash in those vouchers? If they aren’t, then it seems a pretty silly oversight considering the losses incurred from these frauds, and if they are being asked to provide the Clubcard as well, then how are they able to do this, unless it really is some kind of inside job?

    I have £130 in Clubcard vouchers, I have been waiting for an Avios bonus exchange but it has been so long since one that I am beginning to feel like I am waiting for Godot. Is it just time for me to call it a day and forget about holding out and longer for a Clubcard to Avios bonus exchange and should I Just exchange them at the standard rate? Thoughts of Raffles and other HfP members would be greatly appreciated here, as I’m not sure what the wisest step to take next is. Best wishes to you all.

    • You don’t need to show the Clubcard to redeem a voucher. No idea why!

      Conversion – I don’t see the point to be honest. If Avios launch a surprise sale today and you want to redeem, you can redeem and get the Avios within 24 hours. With conversion so quick, doing it early means a) you might miss a bonus and b) you might miss out on an excellent deal from another Boost partner which ends up being more valuable.

      • Bialynia says:

        Seems to me like half their fraud issues would be solved if you had to show your clubcard along with the voucher or money off token at the point of sale.

        As for conversions, mostly thanks to HfP, since I started using it a year ago, I have accrued 9,596 BAEC Avios and almost £130 in Clubcard vouchers, but I’m starting to think that perhaps I missed the boat on Clubcard to Tesco conversion bonuses.

        Oh, and that’s not forgetting the approx £150,000,000 I also earned in RedSpottedHanky vouchers. I was beginning to feel sorry for them but finally my vouchers ran out last week and for the first time I ended up paying for a train ticket with them, which made me feel better about myself!

  9. avidsaver says:

    I’ve been checking my Tesco CC each morning recently as I’ve still not received my vouchers for this quarter and wondered if they may have been pinched in the post. Low and behold I’ve had a voucher from the last quarter used two days ago on “Tesco Boost”. Phoned the CC helpline straight away. As with others, all my vouchers are now being cancelled and will be re-issued in August. I was told they would email their “fraud dept” and should I wish to make use of any vouchers in the meantime I could phone them and they would organise it for me over the phone. I agree with others that the security check when you call is pathetic. Surely Tesco will get their finger out and upgrade their security soon?

  10. Bialynia says:

    Raffles, what would your advice be? Should I just convert my £130 in Clubcard vouchers at the standard rate or risk getting them nicked. I Know they refund them but with my luck I can just see a multiplier conversion coming up when my points have been nicked and that by the time the points will be re-issued in August the conversion promotion will be long gone. Personally I don’t see one coming up anyway over the past couple of years anyway, if the past couple are anything to judge by, so would I really be missing out on anything anyway, really?

    • I honestly don’t see the point.
      a) Tesco has always replaced stolen vouchers within 24 hours – and it resets the 2-year expiry!
      b) If you did need the Avios suddenly, they transfer overnight from Tesco anyway
      c) Even if there is no Avios bonus, there might be a good deal from another Boost partner like the ‘3x face value on RedSpottedHanky’ offer last year – or you may suddenly see some jewellery in Goldsmiths you fancy for 3x face value of your vouchers!

      • Bialynia says:

        Fair point. Thanks Raffles, so I will hold.onto the CC vouchers for now. Best wishes.