We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

5 Mar 2020

Boots Advantage and Tesco Clubcard both suffer data breaches in same week

Get the facts on the loyalty card data breaches and find out what security measures you should take

Boots has blocked all Advantage card holders from 'paying with points' after 150,000 accounts were subjected to attempted hacks using stolen passwords.

The news comes just days after Tesco said it would issue replacement Clubcards to more than 620,000 customers after a similar security breach.

Here, Which? explains what you should do if you've been impacted by either data breach and compares this incident with previous data breaches.

Advantage cardholders can still collect points - but not spend them

Boots told the BBC that none of its 14 million Advantage card holders would be able to pay for purchases using points collected on their loyalty cards while it investigates the issue.

According to the health and beauty retailer, hackers attempted to access around 150,000 customer accounts using passwords from other sites.

Boots said it's writing to customers whose accounts are believed to have been affected, and that no credit card details were accessed by the cyber attackers.

While you won't be able to pay for items using your points, you can still continue to collect points when you shop.

What happened with Tesco Clubcard?

Tesco believes a database of usernames and passwords stolen from other websites has been used to try and access Clubcard accounts and customer vouchers.

Announced earlier this week, Tesco said that no financial data was accessed, and its systems haven't been hacked. Customers that are thought to have been impacted have received an email letting them know.

Access to affected accounts has been blocked as a security measure. Tesco says it is actively working towards restoring access for customers.

Should I update my passwords?

Tesco has advised that impacted customers will be asked to reset their password the next time they log in. The supermarket is also planning to issue new Clubcard numbers to those customers.

If you've used the same password that you had for your Tesco account elsewhere, then you should change it on those sites too.

If you are resetting your password:

  • use a passphrase rather than a single word;
  • use a mix of upper and lower-case letters, numbers and symbols
  • come up with a long password - the longer it is, the harder it is to crack
  • don't use personal information (such as a pet's name, your hometown or place of birth, or your mother's maiden name) as your password or passphrase.

There are various random password generators online that you could use to create something really secure.

Clubcard holders unable to access accounts

Some Twitter users have reported difficulties accessing their Tesco accounts after resetting their password, as they needed their Clubcard number in order to do so.

As Tesco will be reissuing Clubcards with new numbers, old card numbers are no longer valid.

We will keep an eye on the situation, but if you're having issues logging in then it's best to contact Tesco customer services.

I've been affected: what should I do?

If your account is part of either data breach, Tesco or Boots should let you know.

To check whether your email address has been compromised in previous data breaches, enter it on public service website Have I been pwned.

If you're concerned, contact Tesco or Boots.

Previous retail data breaches

British Airways plane at stand
Several high-profile data breaches have hit consumers over the past few years. Here we take a look at some of the most notable cases.

British Airways

British Airways promised compensation to customers after a data breach in 2018. The airline said that its systems had been compromised for more than two weeks, with 'the personal and financial details of customers making bookings on our website and app' potentially stolen by hackers between 21 August and 5 September 2018.

Initially BA thought that up to 380,000 customers could have had their card details stolen, but later it admitted that a further 185,000 may have had their data breached.

The hack prompted a criminal inquiry led by specialist cyber officers from the National Crime Agency (NCA). In 2019, the Information Commissioner's Office (ICO) announced its intention to hand a record fine of £183m to the airline - the biggest penalty it had handed out under the new General Data Protection Regulation (GDPR).

Marriott hotels

One of the biggest consumer data hacks to date was announced by hotel brand Marriott in 2018, with a total of 500 million records accessed. It admitted that information including passport numbers was compromised for approximately 339 million people who had made reservations at Starwood properties.

Marriott's investigation determined that there was unauthorised access to the database, which contained guest information relating to reservations on or before 10 September 2018, and leading security experts found that this had gone unnoticed for four years.

The ICO announced plans to fine Marriott £99m for the breach, and said the hotel chain had failed to do sufficient due diligence on its IT systems.

Dixons Carphone

Dixons Carphone admitted a data breach affecting millions of customers in 2018, after a cyber-attack on a processing system used on store tills resulted in crooks accessing 1.2m personal data records and 5.9m payment cards.

The company said that approximately 105,000 non-EU-issued payment cards without chip-and-pin protection had been compromised, but that 5.8m of the credit and debit cards with chip-and-pin protection and pin codes had not been leaked. The cyber-attack went unnoticed for around nine months.

In January this year, the ICO announced a £500,000 fine for the retailer.


Uber was fined £385,000 by the ICO for failing to protect customers' personal information during a cyber attack in 2018. Approximately 2.7 million Uber user accounts in the UK were accessed and downloaded in a cyber attack in 2016, which Uber did not initially report.

An ICO statement said that 'a series of avoidable data security flaws' allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber's US parent company.

Instead of contacting affected customers and drivers at the time, an ICO report said Uber paid the attackers responsible $100,000 (£78,294) to destroy the data they had downloaded.

If you're concerned about the Tesco Clubcard breach, or any of those included above, find out more about your rights after your personal data has been lost.