The Information Commissioner’s Office (ICO) has confirmed it is investigating Tesco security practices, after reports of weaknesses in the online shopping site of the supermarket giant.
Researcher Troy Hunt blogged last month on Tesco security problems, as it appeared passwords were not hashed or salted, nor were they encrypted. The company has not been forthcoming on how exactly it does protect passwords.
An exclusive TechWeekEurope report found the main Tesco.com website had a serious XSS flaw. Despite giving Tesco all the relevant details on what the vulnerability was, the security hole was still there as of last week.
Now the reports have caught the attention of the UK’s data protection watchdog, which could mean Tesco is forced to open up on how it is protecting customers.
“We are aware of this issue and will be making enquires,” a spokesperson confirmed to TechWeekEurope. The spokesman said the ICO would be asking questions about both the password problems and the XSS vulnerability.
The password issues and the XSS flaw were not the only problems highlighted last month. Another Tesco security flaw is a main website guilty of “mixed mode HTTPS”, where pages are loaded up over HTTPS but certain resources are loaded over HTTP, giving users “no assurances whatsoever”, according to Hunt. Browsers pick up on when this happens and even warn users, yet Tesco still had not fixed the issue.
Tesco has been tight-lipped about the issues. Today it yet again pointed this publication to the only official line it has offered over the past month, despite repeated requests for fresh comment, which reads: “We know how important Internet security is to customers and the measures we have are robust. We are never complacent and work continuously to give customers the confidence that they can shop securely.”
Are you a security guru? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
Tesco is a private organization and the ICO track record in enforcement is laughable compared to the public sector infractions.
Whats worse is that a well respected outfit like tech Week Europe when notifying Tesco can't even get them to respond or worse still correct the issue.
I think it's time someone did a report comparing the ICO fines and size of the security breach within the public and private sectors.
The real problem is that we use simple and often identical password across multiple websites. The solution is Aladdin http://www.indiegogo.com/aladdin-key because it is a USB key(board) that types your password so you don't have to