Tesco have failed at making their system secure and up to the standards of the Payment Card Industry (PCI) Data Security Standard by sending users passwords in plain-text format over email. This is a huge security issue for a a company of its size, and with all the person information stored by users.
Obtain and examine documentation about the system used to protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable). Verify that the PAN is rendered unreadable using any of the following methods:
- One-way hashes based on strong cryptography
- Index tokens and pads, with the pads being securely stored
- Strong cryptography, with associated key-management processes and procedures
@troyhunt Passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder mail.
— Tesco Customer Care (@UKTesco) July 29, 2012
The very same issue regarding Tesco’s huge security issue was raised way back in 2007 by a blogger, Jemjabella and still nothing has been done about it. Will Tesco get their act together and resolve the issue this time? In the mean time, change your password!
If @UKTesco were genuinely serious about this password mess, they’d have their online sites pulled offline until the situation is resolved.
— Stuart Gibson (@stuartgibson) July 29, 2012