The Information Commissioner’s Office has confirmed it is investigating claims that the security on Tesco’s website is so “lousy” it is leaving itself open to attack because of the way it stores customer passwords and email addresses.
The concerns were first raised by Troy Hunt, a software architect, who said that as well as poor basic security practices he had uncovered flaws in Tesco’s website that made it vulnerable to hackers.
“Tesco continually overstate their security prowess whilst clearly under-delivering in their execution,” he said on a blog. The claims were picked up by other experts including Bruce Schneier, an expert in cryptography and said to be one of the most respected commentators in computer security circles. He described Tesco’s website security as “lousy”.
The firm has rejected the allegations, insisting that its security is “robust”.
“We know how important internet security is to customers and the measures we have are robust,” a spokesman said. “We are never complacent and work continuously to give customers the confidence they can shop securely.”
However, the ICO said: “We are aware of the issues relating to the Tesco website and will be making enquiries”.
Among the problems identified by Hunt is the way Tesco does not “salt” customer passwords when it stores them. This process is recommended by security experts as it makes it much more difficult for hackers to use the passwords if they gain access to them.
Hunt also said that Tesco failed to protect properly against a type of hacking attack called cross-site scripting. He said he had contacted the supermarket’s senior IT staff about the risk but received no reply.
“That was two and a half weeks ago, so nearly a week later, after receiving no response, I followed up on the original message. Nothing. Nada. Zip. And the vulnerability is still there,” he said.
