We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

ICO ‘making enquiries’ into Tesco website security concerns

Retailer was sending out customer password reminders in plain text

The Information Commissioner's Office (ICO) has revealed that it is 'making enquiries' into a number of security concerns that have been raised regarding retail giant Tesco's customer facing website.

Earlier this month, security researcher Troy Hunt detailed in a blog that he had received a password reminder in an email from Tesco that contained his password in plain text.

Hunt wrote: "Righto, so how exactly was that password protected in email? Well, of course it wasn't protected at all, it was just sent off willy nilly."

In Tesco's terms and conditions, the company states that customers can be "totally confident when [they are] shopping with Tesco.com" and at the time told Computerworld UK in a statement that its security measures are "robust".

However, it has become clear that the ICO feels that the allegations are strong enough to begin a probe.

A spokesman for the ICO said: "We are aware of these issues and will be making enquiries."

Hunt was prompted by his experience to investigate additional security aspects of Tesco's website.

One thing he identified was that although users log into the Tesco website over HTTPS, which "implies a degree of security", the browser reverted back to HTTP, which does not give users security assurances. Hunt said that this can cause problems for data protection and make users vulnerable to hacking.

He said: "HTTP is stateless so the only (practical) way a state, such as being logged in, can be persisted is by passing cookies backwards and forwards between the browser and the website.

"Because they're being sent over a HTTP connection, anyone who can watch the traffic can see [those] cookies. And copy them. And hijack your session."

It was revealed earlier this year that Tesco was planning to invest £150 million in its online division, as it aims to refocus attention on its underperforming UK business.

Computerworld UK contacted Tesco for comment on the ICO's investigation but had not received a response at time of publication.


IDG UK Sites

Samsung Galaxy S5 mini vs HTC One mini 2 comparison review: Design and price beats additional...

IDG UK Sites

Why local multiplayer gaming is rapidly vanishing: we look at the demise of split-screen and LAN...

IDG UK Sites

Colour-depth not resolution is what will make 4K a success or failure

IDG UK Sites

iPhone 6 vs iPhone 6 Plus: Which new iPhone 6 model should I buy?