ICO to investigate Tesco following data security claims
ICO to investigate Tesco following data security claims

The Information Commissioner's Office (ICO) is to investigate Tesco after research revealed failings in the retail giant's security.

According to Computing, Tesco will be asked to explain the alleged poor security practices of its website, including allegations that it stores login and password information in an unhashed and unsalted format, does not use HTTPS on some pages and emails passwords to users in plain text.

The ICO said that it was "aware of this issue and will be making inquiries".

The research released by Troy Hunt last month caused Tesco to respond to claims that it was "well short of industry standards on a number of fronts". A Tesco spokesperson told SC Magazine that it knew how important internet security was to its customers and the measures it had were robust.

“We are never complacent and work continuously to give customers the confidence that they can shop securely,” it said.

In an email to SC Magazine, Hunt said that he found it interesting that a governing body may take an interest without a breach having occurred, but was unsure on what powers the ICO has in the UK.

“I'm yet to see anything beyond hearsay regarding their investigation,” he said.

Asked if he felt that this is something that Tesco should have rectified before a regulator got involved, Hunt said: “Absolutely. You'd have to be living in a cave not to have witnessed the continued, persistent activities of groups such as Anonymous and be very aware of the risks of a poorly secured website.

“Of course they were also told this many times by many people over many years so it's somewhat astounding that nothing has been done about it.

“So yes, I think it is welcome news and with any luck it might set a good precedent about the responsible handling of customer data. It will be interesting to see the detail that comes out of it (i.e. what was the basis of the investigation - just password storage?).”

Hunt had previously highlighted a blog published at Jemjabella.co.uk from 2007 that focused on flaws in Tesco's email security.