ICO ‘making enquiries’ into Tesco website security concerns

ICO ‘making enquiries’ into Tesco website security concerns

Retailer was sending out customer password reminders in plain text

Article comments

The Information Commissioner’s Office (ICO) has revealed that it is ‘making enquiries’ into a number of security concerns that have been raised regarding retail giant Tesco’s customer facing website.

Earlier this month, security researcher Troy Hunt detailed in a blog that he had received a password reminder in an email from Tesco that contained his password in plain text.

Hunt wrote: “Righto, so how exactly was that password protected in email? Well, of course it wasn’t protected at all, it was just sent off willy nilly.”

In Tesco’s terms and conditions, the company states that customers can be “totally confident when [they are] shopping with Tesco.com” and at the time told Computerworld UK in a statement that its security measures are “robust”.

However, it has become clear that the ICO feels that the allegations are strong enough to begin a probe.

A spokesman for the ICO said: “We are aware of these issues and will be making enquiries.”

Hunt was prompted by his experience to investigate additional security aspects of Tesco’s website.

One thing he identified was that although users log into the Tesco website over HTTPS, which “implies a degree of security”, the browser reverted back to HTTP, which does not give users security assurances. Hunt said that this can cause problems for data protection and make users vulnerable to hacking.

He said: “HTTP is stateless so the only (practical) way a state, such as being logged in, can be persisted is by passing cookies backwards and forwards between the browser and the website.

“Because they’re being sent over a HTTP connection, anyone who can watch the traffic can see [those] cookies. And copy them. And hijack your session.”

It was revealed earlier this year that Tesco was planning to invest £150 million in its online division, as it aims to refocus attention on its underperforming UK business.

Computerworld UK contacted Tesco for comment on the ICO's investigation but had not received a response at time of publication. 

Share:

Comments

Advertisement
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *