Asda has been slammed for ignoring a security flaw on its website for nearly two years, amid claims it could have allowed hackers to collect personal data and payment details on nearly 19 million transactions.
The supermarket giant was first alerted to the vulnerability in March 2014 by security consultant Paul Moore. However, Moore maintains Asda took no action until just this week, when he made the flaw public, despite providing evidence from Twitter of customers complaining their data had been breached.
An Asda spokeswoman insisted that “multiple layers of security [are] in place on our grocery website”, and that the supermarket had “implemented a number of changes to our website to improve customer security”.
She also maintained that there was no knowledge of any customer information having been compromised during the time period the flaw was open. “We also believe that there is no prospect of a scale security breach,” the spokeswoman added. “Asda and Walmart take the security of our websites very seriously.
Moore went public with information about the vulnerability earlier this week, and said that after initially making Asda aware of the flaw “little appears to have changed”.
On his blog, Moore claimed that hackers could easily access customer details by using a combination of techniques. He also pointed out that Asda processed more than 200,000 online orders each week in the second quarter of 2014, meaning more than 19 million transactions have occurred since he first alert the firm.
Moore added: “Unfortunately, it’s difficult to know if your details have been stolen unless the attacker uses the information very shortly after the breach occurs, such that it’s reasonable to assume a link between the two. However, Asda may be able to shed further light on anyone affected by this, or any other exploit.”
For now, Moore suggested that the best way for consumers to keep safe is “simply to shop elsewhere”.
