The Information Commissioner's Office (ICO) is to investigate a number of security issues surrounding supermarket giant Tesco's customer website.
A couple of weeks ago, security researcher Troy Hunt pointed out in a blog that he received a password reminder from Tesco that contained his password in plain text.
Hunt told the BBC that this showed Tesco's password data was not being securely stored. A more secure way of storing passwords would be to send users details on how to reset a password rather than sending the password itself in plain text.
The researcher also said that the retailer should use HTTPS across the entire site in order to protect customers from phishing and other attacks.
Although HTTPS is used on some part of the website, it isn't in others and Hunt said this does not assure customers using the site.
"HTTP is stateless so the only (practical) way a state, such as being logged in, can be persisted is by passing cookies backwards and forwards between the browser and the website," he said.
"Because they're being sent over a HTTP connection, anyone who can watch the traffic can see those same cookies. And copy them. And hijack your session."
The allegations surrounding the debacle have become serious enough for the ICO to launch an inquiry into the retailer's security measures. A spokesman for the ICO told IT Pro that investigations into the problem were at an "early stage".
"We are aware of these issues and will be making enquiries," said the spokesman.
Tesco responded with a statement saying: "We know how important internet security is to customers and the measures we have are robust. We are never complacent and work continuously to give customers the confidence that they can shop securely."
-
What does modern security success look like for financial services?Sponsored As financial institutions grapple with evolving cyber threats, intensifying regulations, and the limitations of ageing IT infrastructure, the need for a resilient and forward-thinking security strategy has never been greater
-
Yes, legal AI. But what can you actually do with it? Let’s take a look…Sponsored Legal AI is a knowledge multiplier that can accelerate research, sharpen insights, and organize information, provided legal teams have confidence in its transparent and auditable application
-
Scania admits leak of data after extortion attemptNews Hacker stole 34,000 files from a third-party managed website, trucking company says
-
23andMe 'failed to take basic steps' to safeguard customer dataNews The ICO has strong criticism for the way the genetic testing company responded to a 2023 breach.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
