Skip to main content

UK privacy watchdog to probe Tesco amid security concerns

The UK’s privacy watchdog is investigating Tesco’s web security following claims by experts that its website suffers from a host of exploitable vulnerabilities.

“We are aware of this issue and will be making enquires,” a spokesperson for the Information Commissioner’s Office said.

Security researcher Troy Hunt first reported details of the supermarket giant’s security weaknesses on his blog three weeks ago, pointing out that Tesco sends plaintext password reminders to customers who have forgotten their login details. Hunt also listed a series of other flaws, including restrictions on password length and insecurity through HTTP cookies.

"When a website stores passwords, how they're protected in the database is important," he told the BBC.

"If that database is breached, the only thing saving someone's credentials is the way they're protected in storage. What should have happen is that there should be some form of cryptographic storage - not in plain text,” Hunt added, explaining that the plaintext password retrieval scheme, as opposed to directing customers to a link where they can reset their passwords, suggests that they are not stored securely.

For its part, Tesco has insisted its web security is “robust” and “in line with industry standards across online retailers.”

"We know how important internet security is to customers and the measures we have are robust," the company said in a statement.

"We are never complacent and work continuously to give customers the confidence they can shop securely."

But Hunt and other experts aren’t convinced. “Padlock GIFs and statements on web pages mean absolutely nothing if what’s underneath has got holes all through it,” he wrote.

A spate of high profile password hacks in recent months, including a LinkedIn breach in which millions of account details were stolen, confirm the extent to which web security should be taken seriously.