Troy Hunt wrote a blog post on security flaws he identified on Tesco’s website which then grew rapidly in influence. Today the BBC grabbed hold of the story and took it mainstream quoting Troy’s original article and drawing in the opinions of other web security experts. In essence the message is that Tesco’s is not a safe place to shop and that if you give them your data it is vulnerable to being hacked. The consequence for Joe Bloggs – who in all likely hood uses the same password for email, Facebook, banking and shopping – is that his whole online profile could now be exposed.
Previous social media disasters that I’ve witnessed have related to poor service (United broke my guitar) or ill conceived marketing ploys (Next trying to sell furniture off the back of riots in Egypt). This is the first PR/social media disaster that has it’s roots in IT architecture. However the lessons in dealing with this are the same as they are when dealing with a complaint – respond, resolve and learn.
Had it taken Troy’s original post seriously, Tesco could have in all likelihood avoided the uncomfortable news stories. However their lack of a positive resolution has increased the viral effect of this story to the point where it has become mainstream. Once again this proves the need for service channels (whether on or off line) to have effective escalation procedures. Organisations should start questioning how they escalate a tweet regarding security issues from the customer services team to the CIO’s desk.
- Rather obviously – build secure IT systems that don’t store passwords in plain text and are fortified against XSS attacks
- Have systems independantly audited for security flaws (particularly XSS attacks)
- Create escalation procedures for (potential) IT security flaws