Tesco web security 'flaw' probed by UK data watchdog

  • Published
Tesco website
Image caption,
Tesco said they were "continuously working" to keep their site secure

The UK's data privacy watchdog is examining the security of Tesco's website after a string of experts highlighted concerns.

Specialists have criticised the way in which the global supermarket chain stores the passwords of shoppers on Tesco.com.

One expert told the BBC he had warned Tesco about other serious issues which he has not made public because of their sensitive nature.

Tesco said its security was "robust".

"We know how important internet security is to customers and the measures we have are robust," the company said in a statement.

"We are never complacent and work continuously to give customers the confidence they can shop securely."

There is no evidence to suggest Tesco has been targeted by hackers, nor that customers' personal data is at risk.

Cryptographic storage

Troy Hunt, a security expert who revealed details of the flaws on his blog, told the BBC he believed the Tesco website was breaking some fundamental data storage rules.

"When a website stores passwords, how they're protected in the database is important," he explained.

"If that database is breached, the only thing saving someone's credentials is the way they're protected in storage. What should have happen is that there should be some form of cryptographic storage - not in plain text."

Mr Hunt pointed out that as Tesco was able to email users their password in plain text, this showed the data was not being stored cryptographically.

A more secure method of password recovery is for websites to email users instructions on how to reset their password, rather than revealing the password itself.

Security expert Graham Cluley echoed Mr Hunt's concerns.

"It does appear as though Tesco didn't really follow industry best practice with their site.

"That's not to say that people's detail are at risk or that they're in danger of being hacked - but it's surprising to see how Tesco has designed its site with regards to how it stores its passwords."

'Full review'

Mr Hunt also criticised Tesco for not using HTTPS - Hypertext Transfer Protocol Secure - across its entire site.

He said this left users susceptible to phishing attacks or even the interception of data - particularly when using shared wi-fi networks.

The Information Commissioners Office (ICO) confirmed to the BBC that it was making enquiries into Tesco regarding the complaints, but would not comment further until more information had been gathered.

Mr Cluley said Tesco was by no means the only major website to have "out of date" storage methods, but said the supermarket should move to reassure online shoppers that the matter is being taken seriously.

"They need to do a full review of their website security and make sure they're following good industry practice," he told the BBC.

"With the number of websites they have, that isn't going to be a small task. But it is something that they'll want to address and reassure people they've got it sorted out."