A data breach at an unidentified online retailer could have led to credit card users having their account details "compromised", MoneySavingExpert has learned. Tesco Bank has already cancelled some of its customers' cards as a precaution and users of cards from other companies are likely to be affected.
We were alerted to the data breach after numerous Tesco Bank credit card customers told us their cards had been cancelled. The bank had told them only that their cards could have been compromised following a data breach at an online retailer.
We don't yet know who the online retailer is – Tesco Bank is not telling us, nor is Mastercard, which reported the breach to Tesco Bank. But it's possible multiple credit card providers' customers have been put at risk – a Mastercard spokesperson says "this situation is not unique to Mastercard or even Tesco".
Tesco Bank took action after being notified and is now in the process of identifying those at risk and cancelling their cards.
It won't say how many of its customers are affected but says it's a "tiny percentage" of its two million credit card holders. Mastercard also declined to say how many of its cards are at risk.
We've contacted Visa and other major banks and card providers to ask them if any of their customers have been affected and will update this story when we hear back. A Lloyds spokesperson says it was not aware of the breach or any risk to its customers.
If you think you've been affected or know who the online retailer is, email us at firstname.lastname@example.org.
For tips on how to protect yourself online see our Stop Scams guide. Here's what we know about the breach so far and what action you can take to protect yourself.
'Quite a few cards' compromised
MoneySavingExpert was first informed of the problem when reader Jade Cowen got in touch after her Tesco credit card was declined on Thursday (4 February). When her husband rang the fraud helpline to enquire what the problem was, he was told the card had been compromised alongside "a number of others".
In the past 24 hours we've heard from or spoken to more than 20 different Tesco credit card customers who've had their cards cancelled unexpectedly as a result of the fraud concerns.
Another reader, Steve Green, said he was contacted by the Tesco fraud team. He said: “The guy told me to check for any unusual activity on my card. Luckily my card was fine but he told me that quite a few other cards had been compromised and to cut up my card.”
And Twitter user Alison Jones said: "My Tesco credit card was declined last night with no explanation and no call to say there had been any suspicious activity. I called Tesco and hung on the phone for ages before getting through and they just said something along the lines that my card may have been compromised."
A Tesco Bank spokesperson told us: "Earlier this week we were notified by a card scheme that the credit card details of a number of customers, including some Tesco Bank customers, could have been compromised as a result of a data breach at an online retailer. As a precautionary measure we have blocked the cards and are contacting affected customers."
The spokesperson added that the bank was unaware of the online retailer's identity.
Tesco Bank has posted a notice on its community forum informing users that some credit cards have been blocked, and apologising for the inconvenience.
What Mastercard says
A Mastercard spokesperson confirmed it had contacted Tesco Bank as a result of the data breach, but said Tesco credit card holders are not the only ones affected.
He said: "This situation is not unique to Mastercard or even Tesco, and we’re not willing to say how many of our cards were put at risk. Ultimately we report these breaches, and it is up to the bank if they want to take preventative measures."
Mastercard has declined to name the online retailer concerned, saying it cannot "legally" identify who it was.
How to protect yourself
Your card may be identified as ‘at risk’ if you shopped with the online retailer concerned, but unfortunately neither Tesco nor Mastercard have identified the source of the data breach.
In the meantime, if you're a Tesco credit card holder:
- Tesco is currently in the process of identifying cardholders whose accounts are deemed to be vulnerable to check there has been no fraudulent activity.
- Anyone with a card that is ‘at risk’ will have it cancelled and will receive a new card within six to eight days of being contacted by the Tesco fraud team.
Whether you have a Tesco credit card or any other debit or credit card it's always worth keeping an eye on your account and if you have any concerns about unusual activity get in touch with your card provider immediately.