Is this Tesco's fault?
Not the first, won't be the last.
If users have the same username / password on multiple sites, is this really Tesco's fault?
However it wouldn't be difficult to implement two factor authentication, requiring, for example, a pin, birth date, last random digits of the Tesco club-card number etc. to prevent this occurring in the first place.
I personally don't use Tesco's , but I do use LastPass to create a unique password for every site where I have a logon. However I have had the greatest difficulty getting er-in-doors to use LastPass, she used to have the same username/password combo for fakebook/paypal/ebay/next etc.