Cybercriminals are advertising valuable personal data about consumers involving some of the biggest shopping names, a new investigation has revealed.
Stolen accounts and data are being advertised for sale cheaply, with customers of Tesco, Deliveroo and McDonald’s among those having their personal information marketed by fraudsters.
Thousands of Tesco Clubcard accounts were said to be available in vast databases of stolen details offered for a few pounds a time on the dark web, according to the new research.
Calls are now being to see companies take more robust action to prevent data breaches happening in the first place, and strongly consider adding security protections such as two-factor authentication, so that this information has less chance of making its way into the hands of cybercriminals.
Which, the consumer organisation behind the probe said that the Information Commissioner's Office "should not shy away" from setting an example by sanctioning companies heavily when they fail to protect personal data and break data protection law. "This highlights the dangerous knock-on effects of being involved in a data breach, or companies not prioritising security highly enough," it said.
READ MORE: 'Hideous' : Scotland's environment regulator refuses to pay ransom after cyberattack cripples systems
Details of the illicit data sale came after hackers published about 4,000 stolen files after Scotland's environmental regulator said it would not be held to ransom after its systems were crippled for three weeks by an "international serious and organised cyber-crime groups".
The Scottish Environmental Protection Agency (SEPA) said a fortnight ago that a highly organised, international cybercrime group were demanding an undisclosed ransom to unlock its digital systems had been subjected to a cyber attack since Christmas Eve.
The Scottish Government agency has confirmed that more than 1GB of data had been stolen, including personal information about staff and some related to businesses that they regulate and work with. Early indications suggest at least 4,000 files may have been taken.
But SEPA has confirmed that the data stolen from the agency's systems has been published on the web by cyber criminals.
"We're working quickly with multi-agency partners to recover and analyse data then, as identifications are confirmed, contact and support affected organisations and individuals," SEPA's chief Terry A'Hearn stated.
"We've been clear that we won't use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds," he added.
In the new probe, security specialists Red Maple Technologies worked with Which? in October 2020 to investigate the kind of personal data that is advertised for sale on both the open internet and the dark web – a hidden part of the web that can only be accessed using special tools.
he data found was a treasure trove for fraudsters - including information that could be used to clone identities and passwords to online services including food delivery platforms.
One seller claimed to have data that included "Tesco accounts with usernames, passwords and loyalty card balances".
The seller was offering the accounts in 2,000 blocks and the individual accounts were being sold for around 42p. They claimed to have hundreds of thousands of Clubcard accounts for sale in total, although there was no way of verifying this as it did not purchase the stolen data.
This follows Tesco confirming in March last year that a database of usernames and passwords stolen from other websites had been used to try to access Clubcard accounts and customer vouchers.
Tesco said at the time that no financial data was accessed and its systems had not been hacked. It claimed to have blocked affected accounts as a security measure.
But the Which probe through the dark web marketplaces for compromised accounts found examples that included data claiming to be from Tesco.
Which said that while the Clubcard accounts being advertised for sale might not work if they have been blocked, there is still value to the cybercriminals in stolen email addresses, passwords and other data.
This is because they can potentially use the data to attack other services where consumers have reused the same credentials. They could also use the data to mount phishing attacks on Tesco customers.
Which said it did not try this so cannot independently verify the rogue seller’s claims.
Researchers also found Deliveroo accounts being advertised for sale on dark web markets for just £4.30.
They also found My McDonald’s accounts marketed for sale on the dark web, along with instructions on how to use them with the mobile app.
Personal data of millions of guests who stayed at MGM Resorts hotels was breached in the summer of 2019. A database of information was posted on a hacking forum in February 2020, and in October researchers found a seller offering data from the breach. This included 10.6 million guest records, including ‘email and physical addresses, names, phone numbers and dates of birth’ and was available on Dark Market, a dark-web marketplace.
Kate Bevan, Which? computing editor, said: “Our research has found a treasure trove of stolen data being traded by criminals on the dark web, highlighting the danger of companies acting carelessly with their customers’ sensitive personal information. “The ICO must be prepared to issue heavy fines against companies that leave customers’ personal data exposed to cybercriminals and breach data protection law, so that they are incentivised to prevent breaches.
“Which? is also calling for consumers to have an easier route to redress when they suffer from data breaches. The government must allow for an opt-out collective redress regime which would mean that affected victims would be automatically included in the action and be represented by a body bringing the claim on behalf of those affected."
A Tesco spokesman said: “Over the past year we’ve introduced additional measures to better protect customer accounts, after we became aware of some fraudulent activity around the redemption of a small proportion of our customers’ Clubcard vouchers in March last year.
"Our internal systems picked this up quickly and we immediately took steps to restrict access to their accounts. Our priority is protecting our customers and we have strict security measures in place, and at no point was any customer’s financial data accessed. We believe that someone had stolen password/username combinations from other websites and used them to try to access Tesco sites - where customers used the same username and password. We asked customers affected to reset their passwords and contacted customers whose Clubcard vouchers may have been affected to let them know that we would be replacing these vouchers and issue new Clubcards, as a precaution.”
Deliveroo said it takes online security "extremely seriously" adding: “We have strict and robust anti-fraud measures in place to combat fraudsters and to track patterns of criminal activity and to block fraudsters.
“As a business, we are committed to tackling illegal activity and developing new and market leading innovations to protect our consumers against criminal hackers.”
McDonald’s said: “Unfortunately unwanted transactions do occur due to customers’ details being compromised by other websites, which is why we regularly add additional layers of fraud protection and security to our app. These include device identification and additional fraud detection software, and we recommend customers use a unique password for their account. We also have a number of measures in place to mitigate any breaches, such as Bot Protection and we remain confident that we have never had a breach of our systems.”
MGM Resorts added: “MGM Resorts has addressed the incident reported in 2019. We continually seek to strengthen and enhance our security measures to protect guest data.”
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules here