ICO ‘making enquiries’ into Tesco website security concerns

Retailer was sending out customer password reminders in plain text

The Information Commissioner's Office (ICO) has revealed that it is 'making enquiries' into a number of security concerns that have been raised regarding retail giant Tesco's customer facing website.

Earlier this month, security researcher Troy Hunt detailed in a blog that he had received a password reminder in an email from Tesco that contained his password in plain text.

Hunt wrote: "Righto, so how exactly was that password protected in email? Well, of course it wasn't protected at all, it was just sent off willy nilly."

In Tesco's terms and conditions, the company states that customers can be "totally confident when [they are] shopping with Tesco.com" and at the time told Computerworld UK in a statement that its security measures are "robust".

However, it has become clear that the ICO feels that the allegations are strong enough to begin a probe.

A spokesman for the ICO said: "We are aware of these issues and will be making enquiries."

Hunt was prompted by his experience to investigate additional security aspects of Tesco's website.

One thing he identified was that although users log into the Tesco website over HTTPS, which "implies a degree of security", the browser reverted back to HTTP, which does not give users security assurances. Hunt said that this can cause problems for data protection and make users vulnerable to hacking.

He said: "HTTP is stateless so the only (practical) way a state, such as being logged in, can be persisted is by passing cookies backwards and forwards between the browser and the website.

"Because they're being sent over a HTTP connection, anyone who can watch the traffic can see [those] cookies. And copy them. And hijack your session."

It was revealed earlier this year that Tesco was planning to invest £150 million in its online division, as it aims to refocus attention on its underperforming UK business.

Computerworld UK contacted Tesco for comment on the ICO's investigation but had not received a response at time of publication.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Derek du Preez

Latest Videos

More videos

Blog Posts