Supermarket giant says it is investigating how a list of customer logins and passwords were posted online yesterday, leading expert to question online retail defences
Tesco has confirmed is it “urgently” investigating how some the details of over 2,000 of its online shopping customer accounts were posted to text-sharing site yesterday.
It is not clear where the information, which included login details and passwords, was obtained. But suggestions include that hackers could have made up the list from details stolen elsewhere.
The supermarket said in a statement it takes the security of its customers’ data “extremely seriously”. “We are urgently investigating these claims,” the Tesco statement added.
“We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this. We will issue replacement vouchers to the very small number who are affected.”
The BBC also reported late yesterday that some of people it contacted via the email addresses given on the list confirmed their accounts had now been deactivated.
Taking steps to minimise risk
Ilia Kolochenko, chief executive of information security and penetration testing firm High-Tech Bridge, stressed it was too early to draw any conclusions about how the data got into the public domain right now. “For the moment we don't have any technical evidence that Tesco was hacked,” he said.
“Stolen credentials may come from various sources, for example from Tesco's customers’ machines being compromised, or from a phishing website. The bigger a company is, the easier it is to compromise some of its customers without attacking the company directly.”
The security company recently published a research into e-commerce websites security against hacking and vulnerabilities. It found 98% of the 100 largest websites failed to automatically protect users by directing them to the highly secure HTTPS version of their sites.
And only 27% had a secure HTTPS version of their sites for all customer-facing pages, leaving critical details such as passwords and billing information openly available to identity thieves.