Tesco Clubcard members’ Hotels.com discounts sold on dark web
Tesco Clubcard temporarily removed Hotels.com from its reward partner list as scammers were able to guess remaining digits of a promotional code which would secure a discount for the holder.
These discount codes were then found to be sold online on hacker forums from as little as £37.50 for vouchers worth between £200 and £750.
Cybersecurity firm CyberNews uncovered the scam in March and alerted the parent company for Hotels.com – Expedia Group – about the security flaw.
It said the scam had serious consequences for Tesco Clubcard members. Those who were in line for discounts of up to £750 could have been left unable to secure their discount as the unique promotion codes can only be used once.
CyberNews added that the 13-character discount codes used the same first five characters, plus three numbers consisting of the discount amount (200, 500 or 750), and then a colon, leaving only the four last characters to be guessed by fraudsters.
The coupons are valid for bookings till 31 December 2021, and they can be used until December 2023.
The firm said: “In the current economic climate people are looking for ways to save money, so businesses need to stay vigilant to prevent fraud. We’d recommend using longer, less predictable discount codes with more characters which make it harder for cybercriminals to predict, as well as implementing a limit on attempts for an incorrect entry to prevent brute force attacks of this nature.”
The research found that, depending on the exact number of cases, Hotels.com could have lost millions in revenue as a result of this vulnerability.
A Hotels.com spokesperson, said: “This issue was identified and resolved promptly several months ago. Working closely with our partners at Tesco we ensured that only legitimate Clubcard customers were able to obtain and redeem the codes they had earned. No customers of Hotels.com or Tesco missed out on the offer, lost money or Clubcard points as a result.”