Tesco has been targeted by hackers, crashing its website and app and causing frustration for thousands of customers.
The hack, one of the worst cyber attacks to date on a British supermarket, poses a “serious problem” for Tesco’s reputation and is estimated to be costing £20m a day in lost revenue.
Tesco first revealed the problem on Saturday morning and the online shopping service was not restored until late on Sunday night.
A spokesman for Tesco said: “An attempt was made to interfere with our systems. which has caused problems with the search function on the site.”
Alhough details of the cause of the problems have not been disclosed, it is understood that the outage is not a result of a ransomware attack.
“There is no reason to believe that this issue impacts customer data and we continue to take ongoing action to make sure all data stays safe,” Tesco added.
We're experiencing an issue with our website and app and are working hard to get things back up and running. We apologise for any inconvenience.
— Tesco (@Tesco) October 23, 2021
Under UK law, companies have a duty to report personal data breaches within 72 hours of them becoming aware of the incident. This would give Tesco until Monday morning to contact the Information Commissioner’s Office if any customer information was found to have been lost.
Customers responded angrily on social media. One shopper tweeted: “I tried all the recommended methods yesterday for cancelling my order due today, because I couldn’t update it (including a DM) without confirmation. Can you, please, at least give some clarity on customer data security.”
Another said: “It would be helpful if you could confirm if this is some kind of security breach, I had a dodgy email about two hours ago supposedly from Tesco but was clearly a phishing email.”
Nick Bubb, an independent retail analyst, warned: “It may be turning into a serious problem. I think customers shrug off website problems that last a few hours, as par for the course – but outages lasting a day or more are embarrassing and unhelpful.”
Clive Black, an analyst at stock broker Shore Capital estimated that Tesco was losing roughly £20m a day in lost online sales. “It will be a real hassle and worry for all involved until firm control and so forth is re-established,” he said. “It will not enhance Tesco’s reputation but at the same time attacks are part of everyday life and a new industry.”
The UK’s biggest grocer has previously been targeted by hackers. In 2014, the data of more than 2,000 shoppers was posted online. In 2016, hackers stole £2.3m from Tesco Bank customers.
This time around, reports emerged of Tesco customers being delivered large quantities of the same grocery product – toilet rolls, dishwasher tablets or cans of soft drink – due to a popular strategy used by customers to secure slots on Tesco’s online booking system.
Customers often place dummy orders in advance, because they can update their basket up to the night before delivery. However, over the weekend many found themselves stuck with their original orders. Rebecca, from North Wales, received 120 cans of a soft drink yesterday. “We were meant to get a week’s shop this morning,” she told the BBC.
Nadia Kadhim, chief executive of Naq Cyber, said: “Data is a commodity that is extremely valuable to companies and criminals, and should be treated with vigilance. All companies need to realise that they’ve been entrusted with a valuable good, and should be held responsible and accountable for failing to protect that good adequately.”
Tesco said: "Our groceries website and app are back up and running. To help us manage the high volume we're temporarily using a virtual waiting room. We're really sorry for any inconvenience and thank you for your patience."