Mystery IT security issue takes down Tesco's grocery shopping website and app after "interference" attempt

Tesco shoppers are unable to...

Tesco's online sales have already exceeded £6 billion this year.

The retailer will have lost millions in sales as a result after "an attempt... to interfere with our systems" which saw its online groceries shopping page taken offline for over 40 hours, as The Stack published late Sunday.

"We’re still experiencing issues with our website that’s affecting all of our customers right now. We’re really sorry for any inconvenience caused and our IT teams are working really hard to fix the issues as a priority" the supermarket giant said early Saturday on Twitter, confirming 18:21 on Sunday that the outage was ongoing. UPDATED: The retailer confirmed it had restored its grocery website and app shortly before midnight.

https://twitter.com/Tesco/status/1452255137070731277

A spokesperson told the BBC: "An attempt was made to interfere with our systems which has caused problems with the search function on the site. We're working hard to fully restore all services and apologise for the inconvenience... There is no reason to believe that this issue impacts customer data and we continue to take ongoing action to make sure all data stays safe" they added.

The company did not offer more detail on the incident, which could have been a Magecart-style card skimmer injection attempt of the kind that hit British Airways in 2018, or something more severe like ransomware; users and reporters can only speculate at this point. (To trigger IT to pull down the entire online retail website or cause the Tesco outage itself, it must have been of some significance however, given the likely associated retail losses.)

(The BA incident saw hackers grab the names, addresses, payment card numbers and CVV numbers of 244,000 BA customers after an intrusion that began with them compromising credentials for a Citrix gateway. The hackers then edited a Javascript file on BA's site to exfiltrate cardholder data from the "britishairways.com" website to a third-party domain, www.BAways.com, controlled by them. The ICO later fined BA £20 million)

Tesco holds huge amounts of consumer data, harvested via various sources. Its Clubcard, for example, is used by 20 million+ UK households and as it notes in its earnings, "our online grocery business, our nearly seven million regular app users gives us the ability to manage vast amounts of data." Customers will be hoping the early statements hold up. The Tesco outage is another reminder for boards of the extent to which IT and cybersecurity issues have the potential to rapidly cause spiralling losses, reputational risk, and regulatory scrutiny.

Follow The Stack on LinkedIn