On 28 October 2010 12:30, Tesco.com Support wrote: Dear Mr Clark Thank you for contacting me and please accept my apologies for the delay in replying to you. I've had a word with my support team and asked them if they're stored with ‘one way encryption’ or any encryption and they say that although the information is not encrypted the level of security surrounding the password means that only the senior technical positions could access the information. I'm sorry that you've decided to terminate shopping with us due to this issue as to my knowledge we've never been hacked and they've tried. The main issue with regard password theft is Phishing and there're a number of those emails going about at the moment. If you’ve any further queries please don’t hesitate to contact me at support@tesco.co.uk quoting TES8404228X. Kind Regards Stephen Wood Customer Service Manager Tesco.com Support ----- Original Message ----- From: "Ben Clark" Date: 21 October 2010 Subject: Password security - why I'll no longer be using tesco online Hello there, This should probably be passed onto your web/IT team. Today I used the forgot password link on your website and my original password was sent in plain text via email. I am a professional web developer who works and has worked on several high profile, security conscious, e-commerce based websites. The fact that you sent me my original password in plain text tells me that you are not storing the password hashed (aka 1-way encrypted). This is a very basic level of security that would protect your customers should your database get compromised by preventing anyone from seeing your customers passwords. It also prevents potentially malicious people within the organisation from being able to see the password. Knowing that you don't use this minimal protection of your customer details tells me that I cannot trust the tesco.com website any longer and will therefore cease using it and will shop with a competitor in future. I should also mention that I was initially impressed when first signing up some time ago that my welcome email gave my username and did not include my password but said: "Your password is known only to yourself". This gave me confidence that the tesco.com software engineers understood web security, that my password was probably stored hashed and that they knew not to send passwords through an insecure, unencrypted medium such as email. Unfortunately I discovered the opposite today. Yours, Ben Clark