Cyber Security – protecting customer and colleague data

Cyber Security – protecting customer and colleague data

Last updated 18/05/2021

UK Stores Retail Business


Information and systems are amongst Tesco’s most valuable assets. Protecting these is critical to sustainability and competitiveness of our business as well as keeping the trust of our customers, colleagues, and investors. For these reasons, data security and data privacy is identified as a principal risk for the business in our annual report.

We take the responsibility of being entrusted with our colleagues and customer’s personal data very seriously and we’re committed to protecting all data with the highest levels of security. Our Security Programme has been driving the enhancement of our security capabilities.

We are committed to protecting information in accordance with; its value, its sensitivity, our customer and colleague expectations, our business goals, and regulatory requirements.


Accountability for information security sits with the Chief Technology Officer who reports directly to the Chief Executive Officer on a day to day basis. We have a robust system in place for identifying and escalating security incidents.

A dedicated Cyber Risk Committee has been formed (which meets every two months) which provides oversight and governance of our cyber risk management plans. In addition, the Board and Executive Directors receive detailed updates on our risk management and mitigation activities through the following committees:

· Group Executive Committee

· Group Audit Committee

· Compliance and Risk Committees

· Privacy Executive Committee

· PLC Board and Board level Corporate Reporting Committee

Risk Management

To deliver and demonstrate our commitment, we have developed policies that set out our ambition and have implemented controls to prevent, detect and mitigate risks. We have adopted a risk based approach which is used in prioritising activities on those areas that are highest risk to the business. For example, our colleague training focuses on head office (see below for more information).

We have also established reporting processes to raise visibility with leadership teams and continuously invite challenge through independent reviews and audits.

Our objectives are to preserve:

· Confidentiality: We take the highest level of care in protecting information in line with its classification/risk.

· Integrity: We have robust systems and processes to ensure that information is complete and accurate.

· Availability: We ensure systems and Information are available at the time when they are needed.

Below are a few examples of our activities;

Systems Security

In order to ensure our IT systems are protected against changing security vulnerabilities, we regularly test and install ‘patches’. We also perform compliance monitoring to ensure that these patches are activated in a timely manner.

In addition, we continue to strengthen our network to help us protect against unauthorised traffic and malicious content entering our environment. We have deployed tools to protect us against malware infections and have independent penetration testing performed to actively identify vulnerabilities.

We have established Security Incident and Event Monitoring capabilities and have a 24/7 Security Operation Centre in place to assess and investigate abnormal activity on a timely basis.

Colleague Awareness Training

We make sure that our colleagues are trained in security awareness so that they understand the importance of confidentiality, integrity and availability and their responsibility to preserve it. Training will help further protect our colleague, customer and business information.

Colleague information security awareness training is mandatory. We make sure that training is relevant, role specific and tailored for colleagues. We deliver quarterly refresher training for office based colleagues to ensure it remains current in colleagues’ minds. We also have annual refresher training for store Stores, Distribution Centres and Customer Fulfilment Centres colleagues.

We have a 24/7 security operation centre and Protector Hotline which are available to colleagues should they wish to make a report of any suspicious activity or concerns.

Supplier Assurance

We expect our suppliers to take the same level of care as we do for the information shared with them and as such we have a supplier assurance programme in place. We focus on those suppliers that pose the highest risk to Tesco, colleague and customer data. Those we identify as highest risk, we conduct a supplier review which may include questionnaires and site visits.