Tesco is under scrutiny from the Information Commissioner’s Office (ICO) after an expert highlighted multiple security concerns with its websites.
Three weeks ago, researcher Troy Hunt criticised the way Tesco stores the passwords of customers on its websites, and flagged up a series of other security concerns.
Tesco has repeatedly said its security is “robust”, but Hunt said the issues he raised appear to have been ignored. The ICO has confirmed that it will be making enquiries into Tesco regarding the allegations, but couldn’t comment any further.
“Passwords are being emailed in plain text which in and of itself is risky as they are not protected in transit nor are they protected whilst sitting in recipients mailboxes,” Hunt told PC Pro via email. He added that emailing passwords out in plain text is also indicative of other problems, as it demonstrates that the passwords are not currently stored as cryptographic hashes on the server.
In a statement, Tesco said: “We know how important internet security is to customers and the measures we have are robust. We are never complacent and work continuously to give customers the confidence they can shop securely.”
Indeed, despite Hunt’s concerns, Tesco hasn’t been hacked and customer data remains safe. However, he claimed that if it were successfully hacked, the plain text passwords would leave users at risk. “What we frequently see after an event like this is other services that customers own being breached due to password reuse,” he said.
“It needs to do a complete review of their security and make sure it’s following a good industry practice,” he added.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
