Supermarket Chain Probed Over Lax Online Security
A Tesco superstore in Newcastle, northern England, in 2007.
CREDIT: Mankind 2k/Creative Commons
Tesco, the leading supermarket chain in Britain, is under scrutiny from the U.K. Information Commissioner's Office after being accused of failing to adequately protect consumer information.
The probe is apparently in response to recent blog and Twitter postings by software architect Tony Hunt, who noticed that Tesco would email customers their passwords if they'd forgotten them, was mixing encrypted and unencrypted content on its website and was using outmoded ancient Web-server software.
"Clearly the passwords aren't hashed at all, let alone salted," Hunt wrote on his blog, referring to two complementary methods of password encryption.
Tesco's Twitter feed responded to Hunt's accusations: "Passwords are stored in a secure way. They're only copied into plain text when pasted automatically into a password reminder email."
Tesco has yet to suffer a known online security breach, but Hunt implied that if the company were to be targeted, hackers might have very little trouble obtaining and publishing Tesco's customer and employee information, including credit card numbers.
"We are aware of the issues relating to the Tesco website and will be making enquiries," a spokesman for the Information Commissioner's Office told London's Telegraph newspaper.
Most security experts say websites should have no access at all to the original customer passwords. Instead, best practices call for hashing the passwords by running them through an encryption process, and salting them by adding secret data that will result in values unknown to hackers.
When a customer logs in, his password is hashed using the same process, then compared to the hash on file before he is permitted entry.
Tesco is hardly the only large company accused of shirking when it comes to protecting customers online.
Yesterday (Aug. 20), Dutch consumer-electronics company Philips fell victim to "r00tbeersec," a group of four hackers who stole and posted the personal information of hundreds of Philips customers, including email addresses, birth dates and, for about 300 people, plain-text passwords.
Matching plain-text or weakly encrypted passwords to known email addresses puts the owners of those accounts at risk of identity theft and account hijacking, since many people register the same email address and password on multiple websites.
Summer of shame
This summer, hackers have been teaching companies difficult lessons in how to handle user passwords.
On June 6, professional-networking website LinkedIn suffered a data breach that saw 6.4 million weakly encrypted passwords posted to a Russian hacker forum. The following day, online dating service eHarmony had 1.5 million passwords posted online.
In both cases, the passwords were encrypted without being salted, meaning that hackers could compare known hash results of common passwords to the lists, or, with a little hardware, crack the passwords using freely available software.
To make sure you're not the victim of a data breach, create strong passwords for every online mail, retail or financial account — any site that holds sensitive personal or financial information, such as your birth date or credit-card number. Use each password for only one site.
If you fear you've already become a victim, check ShouldIChangeMyPassword.com to run your email address against a master list of all addresses divulged in recent data breaches.