A “treasure trove” of rifled personal data including user names, addresses and loyalty card balances was uncovered by the consumer campaign group. Cyber security experts say the information could be used to clone customer identities and gain illegal access to online shopping services. One seller on the dark web – hidden websites often used for illegal activities – claimed to have thousands of Tesco Clubcard account details for sale at 42p each.
Which? computing editor Kate Bevan called for companies and customers to tighten up on security.
She also urged the Information Commissioners’ Office (ICO) to introduce stiffer penalties for offenders, and better compensation for victims.
She said: “Our research has found a treasure trove of stolen data being traded by criminals on the dark web – highlighting the danger of companies acting carelessly with customers’ sensitive personal information.
“The ICO must be prepared to issue heavy fines against companies that leave customers’ personal data exposed.
“Which? is also calling for consumers to have an easier route to redress when they suffer from data breaches.”
The watchdog worked with a private security firm to investigate what was on sale. As well as Tesco data, they found customer accounts from My McDonald’s and Deliveroo, both app-based takeaway food businesses.
They also found names, phone numbers, addresses and other data from more than 10 million guests who stayed at MGM Resorts hotels.
Which? advised customers to have strong passwords, use password manager services and two-factor authentication. It also warned against saving credit card details on websites.
It admitted it could not confirm whether the personal details were genuine without trying to use them.
Tesco declined to comment but Deliveroo, McDonald’s and MGM said they took data security very seriously.
Deliveroo said: “We are committed to tackling illegal activity and developing new and market-leading innovations to protect our consumers.”
McDonald’s said: “We regularly add additional layers of fraud protection and security to our app.”