ICO Probes Tesco Security Issues

The Information Commissioner’s Office (ICO) has confirmed it is investigating Tesco security practices, after reports of weaknesses in the online shopping site of the supermarket giant.

Researcher Troy Hunt blogged last month on Tesco security problems, as it appeared passwords were not hashed or salted, nor were they encrypted. The company has not been forthcoming on how exactly it does protect passwords.

An exclusive TechWeekEurope report found the main Tesco.com website had a serious XSS flaw. Despite giving Tesco all the relevant details on what the vulnerability was, the security hole was still there as of last week.

ICO interest

Now the reports have caught the attention of the UK’s data protection watchdog, which could mean Tesco is forced to open up on how it is protecting customers.

“We are aware of this issue and will be making enquires,” a spokesperson confirmed to TechWeekEurope. The spokesman said the ICO would be asking questions about both the password problems and the XSS vulnerability.

The password issues and the XSS flaw were not the only problems highlighted last month. Another Tesco security flaw is a  main website guilty of “mixed mode HTTPS”, where pages are loaded up over HTTPS but certain resources are loaded over HTTP, giving users “no assurances whatsoever”, according to Hunt. Browsers pick up on when this happens and even warn users, yet Tesco still had not fixed the issue.

Tesco has been tight-lipped about the issues. Today it yet again pointed this publication to the only official line it has offered over the past month, despite repeated requests for fresh comment, which reads: “We know how important Internet security is to customers and the measures we have are robust. We are never complacent and work continuously to give customers the confidence that they can shop securely.”

Are you a security guru? Try our quiz!