The Information Commissioner's Office (ICO) is to investigate a number of security issues surrounding supermarket giant Tesco's customer website.
A couple of weeks ago, security researcher Troy Hunt pointed out in a blog that he received a password reminder from Tesco that contained his password in plain text.
Hunt told the BBC that this showed Tesco's password data was not being securely stored. A more secure way of storing passwords would be to send users details on how to reset a password rather than sending the password itself in plain text.
The researcher also said that the retailer should use HTTPS across the entire site in order to protect customers from phishing and other attacks.
Although HTTPS is used on some part of the website, it isn't in others and Hunt said this does not assure customers using the site.
"HTTP is stateless so the only (practical) way a state, such as being logged in, can be persisted is by passing cookies backwards and forwards between the browser and the website," he said.
"Because they're being sent over a HTTP connection, anyone who can watch the traffic can see those same cookies. And copy them. And hijack your session."
The allegations surrounding the debacle have become serious enough for the ICO to launch an inquiry into the retailer's security measures. A spokesman for the ICO told IT Pro that investigations into the problem were at an "early stage".
"We are aware of these issues and will be making enquiries," said the spokesman.
Tesco responded with a statement saying: "We know how important internet security is to customers and the measures we have are robust. We are never complacent and work continuously to give customers the confidence that they can shop securely."
-
Third time lucky? Microsoft finally begins roll-out of controversial Recall featureNews The Windows Recall feature has been plagued by setbacks and backlash from security professionals
-
The UK government wants quantum technology out of the lab and in the hands of enterprisesNews The UK government has unveiled plans to invest £121 million in quantum computing projects in an effort to drive real-world applications and adoption rates.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
