UK retailer Tesco came under fire earlier this week for website security practices that may be leaving customer data vulnerable to hackers.

The incident started when software architect Troy Hunt noticed a tweet indicating that Tesco must be storing customer passwords in a manner that doesn't adhere to best practices because the retail giant emails customers their passwords in plain text.

After experimenting, Hunt confirmed that this is indeed the case, and he also found numerous other security faux pas, including issues with Tesco's use of SSL encryption.

Given the high risks and costs that come with security breaches today, security should be top of mind for any company operating online. This is particularly true for online retailers, most of which collect sensitive and valuable information from customers, such as credit card numbers.

There are numerous things that online retailers can learn from Tesco's fail. Here are five of the most important.

1. Somebody is paying attention

It's often easy for companies to believe that nobody is watching. If we don't employ best practices, for instance, or we haven't updated something that should be updated, who is going to notice?

It may take a while, but chances are that if your company has any visibility in the markets it serves, somebody will eventually notice. So instead of pretending that you can get away with doing a less-than-stellar job, it's far better to raise the bar and do what's right.

2. The good guys usually aren't the first to notice your flaws

While Hunt deserves credit for bringing the issues he stumbled onto to the attention of Tesco and the public, the unfortunate reality is that those who aren't so well-intentioned are usually the first to know.

For retailers, this means one thing: by the time somebody tells you that you have major security gaps, chances are those who would seek to exploit them are already trying to figure out how to.

3. There are no legitimate excuses for not doing the basics

The internet has seen a growing number of high-profile security lapses over the past several years, and for good reason: data, be it credit card numbers or compromised accounts, is valuable. The particularly disappointing news: in many cases, the worst security breaches have been the result of long-standing techniques that a half-decent web developer knows about being ignored.

There's absolutely no excuse for this and companies that aren't adhering to the most basic of security best practices will increasingly have little ability to defend themselves against charges of incompetence and laziness. In the case of Tesco, this is particularly true given that it has apparently been storing passwords insecurely since 2007.

4. Social media isn't always your friend

Arguably one of Tesco's biggest mistakes was quickly responding to Hunt via Twitter. Obviously, one of the individuals responsible for managing Tesco's Twitter account saw Hunt's tweet about Tesco's password storage security and felt the need to respond.

But in writing "Passwords are stored in a secure way. They're only copied into plain text when pasted automatically into a password mail," that person stepped into a technical discussion that was clearly above his or her head, as the response essentially confirmed Hunt's argument.

Which serves as a valuable lesson for companies: important issues deserve meaningful, informed responses. Occasionally, this may require the people in charge of a social media account to bring an issue elsewhere in the organization before a response is provided.

5. A company's respect for its customers is best reflected by how it treats their data

Perhaps one of the most interesting things about Troy Hunts post were some of the comments from individuals claiming to have first-hand experience with Tesco. One wrote "Having worked for 5 years ago, non [sic] of this surprises me", while another added "Tesco used to be a customer for a company I worked for. This is the tip of the iceberg."

The accuracy of these comments is unknown, but it does raise an interesting rhetorical question for online retail executives to ponder: in an industry that is dependent on the consumer like few others, if your organization doesn't treat its customers' data carefully, how customer-centric can its culture really be?

Patricio Robles

Published 1 August, 2012 by Patricio Robles

Patricio Robles is a tech reporter at Econsultancy. Follow him on Twitter.

2647 more posts from this author

You might be interested in

Comments (4)


Dan Humphrey

Surprising to see such a retail giant not following best practices especially after the last two years of various hacking groups taking down the likes of Sony, Paypal and Government websites.

As you rightly said security should be one of the most important concerns while operating online. All sensitive customer information should be encrypted at all times.

about 6 years ago


Kevin Obee

Tesco should never have been in this position. They are represented on the PCI Security Standards Council Board of Advisors and as such help set the development standards for websites handling online payments.

about 6 years ago



Beginning to think that no one takes online security seriously. Recent poll results shows that 3 of 5 U.S. adults who are online say they feel they're vulnerable to being hacked, yet most engage in really risky behaviors online, like reusing passwords on multiple sites and never changing their passwords (62% of all Americans)*.

Why is it that breach after breach, it seems like no one, consumers or companies--anyone--does anything to protect themselves online?

Data results come from here, if you're curious:

about 6 years ago


Hannah Norman, Digital Marketing Executive at Koozai Ltd

Great post. I think that the more these holes are identified (hopefully in legitimate ways although sadly most aren't) security will become better. I also think that there will always be a hole in security somewhere, it's just a case of finding and closing it or exploiting depending on your intent.

I actually wrote my recent blog ( on a similar topic. I only wish I had waited a few days because this would have been great to write about. I'm pleased someone wrote a good piece though!

almost 6 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.