Retailer Marks & Spencer has called in security consultants
after a programming blunder gave the public access to confidential
system passwords.
Bill GoodwinM&S disclosed this week that an error on its Web site
transferred customers to a "dump file" containing two system
passwords when they clicked on one of the site's links. But the
retailer denied that the passwords would have allowed hackers easy
access to M&S systems.
"The file gave details of two out of five systems passwords,"
M&S said. "A hacker would not have got far with them. You have
to use the passwords in the right sequence in the right areas. Even
with the passwords you still have to negotiate around
firewalls."
M&S uses the dump files to record the movements of visitors
to its sites. The files contain an encrypted copy of each
customer's password in addition to the two system passwords and
details of their activity on the site.
The retailer said it fixed the problem within hours of it being
detected by automatic monitoring software. It has called in
consultants to ensure that the problem is not repeated.