ICO to investigate Tesco over website security concerns

Privacy watchdog to look at retailer’s website security after expert highlights concerns.

Tesco website

The Information Commissioner's Office (ICO) is to investigate a number of security issues surrounding supermarket giant Tesco's customer website.

A couple of weeks ago, security researcher Troy Hunt pointed out in a blog that he received a password reminder from Tesco that contained his password in plain text.

Hunt told the BBC that this showed Tesco's password data was not being securely stored. A more secure way of storing passwords would be to send users details on how to reset a password rather than sending the password itself in plain text.

Advertisement - Article continues below

The researcher also said that the retailer should use HTTPS across the entire site in order to protect customers from phishing and other attacks.

Although HTTPS is used on some part of the website, it isn't in others and Hunt said this does not assure customers using the site.

"HTTP is stateless so the only (practical) way a state, such as being logged in, can be persisted is by passing cookies backwards and forwards between the browser and the website," he said.

"Because they're being sent over a HTTP connection, anyone who can watch the traffic can see those same cookies. And copy them. And hijack your session."

The allegations surrounding the debacle have become serious enough for the ICO to launch an inquiry into the retailer's security measures. A spokesman for the ICO told IT Pro that investigations into the problem were at an "early stage".

Advertisement
Advertisement - Article continues below

"We are aware of these issues and will be making enquiries," said the spokesman.

Tesco responded with a statement saying: "We know how important internet security is to customers and the measures we have are robust. We are never complacent and work continuously to give customers the confidence that they can shop securely."

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Recommended

Visit/security/data-breaches/355056/vpnmentors-web-mapping-project-finds-more-exposed-military-files-via
data breaches

Printing company exposes 343GB of sensitive military data

20 Mar 2020
Visit/security/privacy/355048/government-may-trace-covid-19-patients-using-mobile-phone-data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
Visit/security/355013/10-quick-tips-to-identifying-phishing-emails
Security

10 quick tips to identifying phishing emails

16 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/354941/panda-security-to-be-acquired-by-watchguard
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020

Most Popular

Visit/security/privacy/355155/zoom-kills-facebook-integration-after-data-transfer-backlash
privacy

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/cloud/355098/ibm-dedicates-supercomputing-power-to-coronavirus-researchers
high-performance computing (HPC)

IBM dedicates supercomputing power to coronavirus research

24 Mar 2020