Cyber Incident Victim: Tesco PLC
Date:
Oct 2021
Location:
United Kingdom
Summary
A UK supermarket experienced website and app outages following a suspected cyberattack, disrupting online grocery orders and cancellations for over a day. The incident impacted search functionality and forced the retailer to implement a virtual waiting room to manage order backlogs upon restoration. While the company stated no evidence indicated customer data compromise, users reported difficulties modifying orders and resorted to alternative services. This disruption occurred amid broader industry warnings about ransomware threats targeting supply chains, though attribution remains unconfirmed. The retailer previously faced security issues involving credential reuse vulnerabilities and payment system flaws.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 23, 2021, Tesco experienced a significant disruption to its online grocery services, with customers unable to place or cancel delivery orders through its website and app. The UK supermarket chain attributed the outage to "an attempt to interfere with our systems," which specifically impaired the site’s search functionality. Service remained disrupted throughout Saturday and into Sunday evening, impacting Tesco’s capacity to process its weekly volume of 1.3 million online orders, representing nearly 15% of its UK sales. The company confirmed no evidence suggested customer data was compromised during the incident. By Sunday evening, Tesco restored access to its digital platforms but implemented a virtual waiting room system to manage order backlogs, publicly apologizing for the inconvenience via Twitter.
The outage triggered widespread customer complaints regarding order management, particularly cancellations. Some users reported being instructed to cancel orders on Saturday, only to later learn Tesco could not process those requests. Social media posts indicated customers rushed to cancel orders before an 11:45 pm deadline, with some opting to place orders with rival supermarkets instead. This incident followed prior cybersecurity challenges for Tesco, including a 2016 Tesco Bank breach that resulted in a £16.4 million regulatory fine and a 2020 Clubcard credential compromise affecting 600,000 accounts. While the 2021 event did not involve confirmed ransomware or data theft, it underscored operational vulnerabilities in critical retail systems during peak demand periods.