Data stolen from Tesco clubcards could be resold for just £2.70 a pop, reckons a price-comparison website that appears to have strayed into the dark web.
Earlier this week Tesco revealed that data from 600,000 Clubcards, its loyalty programme, had potentially been accessed by miscreants in what sounds like a credential stuffing exercise. Citing "fraudulent activity", the supermarket said it would be issuing new cards to all members of its scheme.
Clubcard holders were being urged yesterday to change their passwords and login details on other sites using the same combination of username or email address and password.
"Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts. At no point was any customer's financial data accessed," Tesco said.
Now price comparison site Money Guru reckons that any data stolen from Clubcard holders could be being traded by online criminals for as little as £2.70.
What can $10 stretch to these days? Lunch... or access to international airport security systemsREAD MORE
Citing its own research into "several Dark Web marketplaces", Money Guru claimed the average Briton's entire online identity could be bought for "less than £750".
Strangely enough, one's eBay account was said to be worth £9.70 on average: Clubcard data, while revealing, doesn't include the ability to make actual purchases. The site's researchers also reckoned they could buy British Airways loyalty programme data – presumably the hundreds of thousands of peoples' data, including card details, stolen from the airline in 2018 – for all of £4.90 a go.
Deborah Vickers, channel director at Money Guru, said in a canned statement: "Our research into personal data and how much it's actually worth on the black market is shocking to say the least. For less than £750 criminals can access not only your bank details, but online shopping, social media and email information too. This just goes to show how vital it is to protect your data where possible to avoid facing costly consequences."
The standard advice remains to use a password manager to generate hard-to-guess passwords that you don't have to memorise, and to make sure you change your login details on anything that's potentially been hacked. As someone once said, every little helps. ®