A major fraud perpetrated against two of the UK’s leading loyalty programmes – Tesco Clubcard and Boots Advantage Card – has exposed just how easy it is for online criminals to gain access to even the most secure websites “through the back door”, simply because so many consumers use the same password for multiple sites.
The move follows the successful conviction of four people at a trial at Cardiff Crown Court for a fraud which ran between November 2013 and December 2014. The “brains” behind the operation, former Tesco worker and serial offender Edward Kumsah, has been banged up for 30 months.
The court heard how the gang raided the online accounts of millions of Clubcard and Advantage Card customers and used the stolen reward vouchers to buy high end brands – including X-Box and PlayStation consoles as well as Tag Heuer watches – which were then sold on.
According to prosecutor James Davis, the details – including email addresses and passwords – were not gained from the companies which were targeted by the fraud but were hacked from smaller, less secure websites. However, the exact source of the information was not known and some may have been bought from the dark web, Davis said.
The court heard how the gang was able to log in and change a customer’s email address, often by adding a single letter or number, so that future messages went to them rather than the real customer. They could then steal vouchers, order goods online, collect them in-store and sell them on at a discounted price.
Prosecutors said Boots only became aware of the fraud seven months after it first started and set up a crisis management team. However, it was when staff at Tesco Extra in Cardiff became suspicious because Clubcard vouchers had been used to buy multiple PlayStations and Xboxes that the gang was finally fingered.
The defendants were identified after being caught on CCTV going into stores to collect the goods. All four were arrested at Tesco Extra in Pontypridd on November 10, 2014. Their car, which was parked outside, was said to be stuffed full of Clubcard vouchers.
Despite the fact that up to four million people had their online accounts hacked, the fraudsters netted just £64,000; Boots lost £21,335.68, with 310 customers affected, Tesco was hit for £23,879.56, with 432 customers affected, while Tesco Clubcard partner Goldsmiths lost £18,475.
Kumsah’s accomplices – Jade Ofomola, Demi Okoi and Jamie Evans – received lesser punishments, including a suspended sentence for Ofomola, a fine for Okoi and community service for Evans.
Jailed millionaire data thief is forced to pay back the lot
Morrisons man is spared jail after More loyalty fraud
Car crash data thief hit with six month prison sentence
Sacked and fined: would-be data thieves warned again
Bent copper gets five years for car crash data theft
Swansea call centre boss is jailed for energy bill fraud
Loyalty scheme chief gets 16 months for £200k fraud
TPS swindler banged up for 5 years for £600k fraud
Tesco warns of Clubcard theft threat