We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

ICO ‘making enquiries’ into Tesco website security concerns

Retailer was sending out customer password reminders in plain text

The Information Commissioner's Office (ICO) has revealed that it is 'making enquiries' into a number of security concerns that have been raised regarding retail giant Tesco's customer facing website.

Earlier this month, security researcher Troy Hunt detailed in a blog that he had received a password reminder in an email from Tesco that contained his password in plain text.

Hunt wrote: "Righto, so how exactly was that password protected in email? Well, of course it wasn't protected at all, it was just sent off willy nilly."

In Tesco's terms and conditions, the company states that customers can be "totally confident when [they are] shopping with Tesco.com" and at the time told Computerworld UK in a statement that its security measures are "robust".

However, it has become clear that the ICO feels that the allegations are strong enough to begin a probe.

A spokesman for the ICO said: "We are aware of these issues and will be making enquiries."

Hunt was prompted by his experience to investigate additional security aspects of Tesco's website.

One thing he identified was that although users log into the Tesco website over HTTPS, which "implies a degree of security", the browser reverted back to HTTP, which does not give users security assurances. Hunt said that this can cause problems for data protection and make users vulnerable to hacking.

He said: "HTTP is stateless so the only (practical) way a state, such as being logged in, can be persisted is by passing cookies backwards and forwards between the browser and the website.

"Because they're being sent over a HTTP connection, anyone who can watch the traffic can see [those] cookies. And copy them. And hijack your session."

It was revealed earlier this year that Tesco was planning to invest £150 million in its online division, as it aims to refocus attention on its underperforming UK business.

Computerworld UK contacted Tesco for comment on the ICO's investigation but had not received a response at time of publication.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model