Last week, Computing reported that Tesco “is to be asked to explain the alleged poor security practices of its website to the Information Commissioner's Office (ICO).”
Concerns had earlier come to a head on Twitter when it emerged that Tesco’s support services could simply email a password to users. Troy Hunt was one commentator who questioned the security involved. He decided to resurrect an old Tesco account he had (from before he moved to Australia), and received his old password emailed to him in plaintext. “Clearly,” he subsequently wrote, “the passwords aren’t hashed at all let alone salted. At best they’re encrypted but chances are they’re stored in plain text, unfortunately there’s no evidence to the contrary.”
Tesco does not seem to be listening to the expert's concerns. Last week Tesco Customer Care responded to ‘Craig’, “Passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder email.”
Yesterday, Hunt noted, “This was just last week and well after the ‘robust’ theory had been well and truly rejected by a great number of people who actually know what robust security looks like (or least know what it doesn't look like).” But Hunt then goes on to illustrate (without disclosing) a cross-site scripting vulnerability that he had learned about. He reported this to Tesco. “That was two and a half weeks ago so nearly a week later, after receiving no response, I followed up on the original message. Nothing. Nada. Zip. And the vulnerability is still there.”
“Interestingly,” he concludes, “it seems that Tesco’s rather unique approach to security is now coming under scrutiny from the Information Commissioners Office in the UK,” referring back to the Computing article. “Whilst a statement such as ‘We are aware of this issue and will be making inquiries’ [which is what the ICO actually told Computing] is far from a damning indictment, it will be interesting to see how this unfolds and whether the company may actually be called on those ‘lousy’ practices."
The BBC has now reported on the story, commenting, “The Information Commissioners Office (ICO) confirmed to the BBC that it was making enquiries into Tesco regarding the complaints, but would not comment further until more information had been gathered."