The supermarket giant Tesco recently suffered a major security breach and a large numbers of it’s tesco.com customer accounts were exposed and posted on the popular text sharing site pastebin. The data included Tesco’s customer usernames, passwords and loyalty card balances.

The data was verified (often such publicly displayed data breaches are comprised of out-of-date or historic data and is of limited value) and proven by users and other hacktivists to be genuine. Tesco have a history of somewhat underwhelming their users and other security observers with regard to the security of their web services. Indeed they were held to account by the ICO late in 2012, a fact widely reported in the press and elsewhere such as the BBC News.

This latest breach seems to have been as a result of a brute force break in. Troy Hunt has a great post describing the Tesco Hack and how he thinks it was done. We’re all fairly sure that Tesco did store passwords in the clear in a previous incarnation of the site. However since the ICO incident while they have clearly have improved the site it seems still to have several fundamental weaknesses.

Of course the users of the site themselves have some responsibility, using trivial passwords and reuse of passwords from other sites/logins is just plain stupid. For the consumer the proliferation of passwords is a huge problem but there’s a certain naivete in security experts expecting the average consumer to create a different password for every site they go to. There are of course tools to help in that regard 1password and lastpass to name but two. The trouble is there’s no real answer to the password issue until we get some sort of federated system that everyone can get behind.

The move towards OTP authenticators as used by Amazon, Google and several others is, unless we co-ordinate in some way, just going to add to the problem and make it worse for consumers before it gets any better.

  • I’ve nothing but praise for Robert and the team and despite their long trading history have seen how they have maintained a strong, exciting and invigorating culture of success within their business which, for me, having had 20 years in application development is often more important than pure technical capability as it’s this consultative and empathetic approach which extracts the requirements from non-IT staff to enable Ecommnet to design and deliver a stronger better product.

    — Jason R Wilkinson, Head of Business Transformation, Westfield Health
  • During our 2FA POC and subsequent move to live system, Ecommnet provided a very attentive and responsive support service whenever we encountered problems.  Using the team’s web support portal to raise support calls and requests for changes results in a fast response and provision of support ranging from phone support, through remote console access to site visits as required. Due to the implementation of the 2FA system we now have secure remote access to internal resources while ensuring security compliance.

    — Allen Haigherty, Technical Support Officer, Kirklees Council
  • With the team’s help I was able to get the OTP authentication set up in time for our PCI audit. I just want to say I was very impressed with the level of service and the responsiveness, and the fact they were able to help us out under incredibly tight timescales speaks volumes.

    — Robin Whitehead, Technical Director, Iridium Corporation
  • Robert and the team were excellent, they qualified our environment quickly, were very strong on integrating security and mobile environments and the pilot went in easily. It was nice to deal with a company that was more than just a reseller, they truly believed in the solution and it was a great win for us to find their set of skills just down the road.

    — Steve Watchman, IT Executive, Newcastle Building Society
  • Ecommnet was able to create and deliver an all-new website that has in a short space of time received many compliments and generated enquiries. The team is accessible, helpful and responsive and have removed the ‘pain’ of IT. We were so pleased that they’re now entrusted to look after all our IT infrastructure.

    — Nick Bailey, Director, Elan PR
  • After 6 weeks of implementation issues with a competitive product, Ecommnet were a breath of fresh air, helping us out of a very tricky situation with a great solution in just two days. What a fantastic team; extremely helpful, technically competent and able to deliver.

    — John Clayton, Network Consultant, Kirklees Council
  • Ecommnet has proved an invaluable partner, especially when developing technology solutions to loosely defined business ideas. They bring a diverse range of ideas from their work to produce innovative approaches to solving problems. They will back their ingenuity by sharing in the risk of developing solutions, and having proved a concept will ensure the same team work with you to create a fully fledged product.

    — Michael Bennett, Director, Charles Stanley & Co Ltd