Hot on the heels of US retailer Target suffering a huge data breach in December, it has merged that more than 2,000 Tesco customers’ email addresses and passwords were posted online yesterday after data stolen from other sites was compiled by hackers.

Do these two high-profile hacks mean web security is changing forever for retailers? The answer, according to security experts, is that attacks aren’t changing fundamentally but retailers are having to deal with more sophisticated hacks across a broad range of touch points.

“The attack patterns appear to be nothing new in principle although the detail may vary. In the case of Tesco we see an example of the modern internet relying on 30-year concepts of username and passwords. This technology is inherently insecure and presents a significant threat,” says Brian Spector, chief executive at security firm CertiVox.

While the Target hack involved an internal malware attack on the point of sale system, Tesco’s was different. The hackers picked up shoppers’ passwords elsewhere and tried their luck on the retailer’s accounts.

Part of the answer, says Guy Bunker, senior vice-president of product at security firm Clearswift, is to educate shoppers more about the need to change passwords more frequently, or use different passwords for different accounts.

Paul Henninger, global product director at BAE Systems Detica, says the Tesco hack is significant because digital criminals are no longer just interested in credit cards.

“Criminals are now happy to use the same techniques they’ve used in the past to target frequent flyer miles or loyalty points. They weren’t going after pounds or euros,” he says.

The consequence is that security measures designed for bank account or credit card information will increasingly need to be applied to other customer databases.

Ryan Rubin, head of information security at risk consultancy Protiviti, thinks high levels of monitoring will be required.

He says: “One of the big pain-points has been around companies not doing enough monitoring of unauthorised or unusual activity.”

In addition, the need to adopt new technologies and systems rapidly has in some cases led to lower levels of security. “The need to push something out quickly might have an impact on the ability of the organisation to push security through,” says Rubin.

Tesco customers targeted in cyber attack