| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to security vulnerabilities and poor practices, such as sending unencrypted passwords via email and using outdated browsers, has happened again at Tesco. This incident highlights a lack of adherence to industry standards and best practices in terms of internet security [13466].
(b) The software failure incident involving security vulnerabilities and negligence in handling user data has been a recurring issue across various organizations. The incident at Tesco is part of a broader trend where major corporations have faced high-profile password leaks and security breaches, indicating a systemic problem in the industry [13466]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be seen in the case of Tesco's online system. Security experts found several worrying security holes in Tesco's online setup, including the practice of sending unencrypted passwords by email to users. Additionally, the Tesco 'Safe Shopping Guarantee' page recommended using outdated browsers like Internet Explorer 3 or Netscape Navigator 3.02, which were released over 15 years ago [13466].
(b) The software failure incident related to the operation phase is evident in the way Tesco's website operated. Users reported that once logged in, elements of the site were sent insecurely using 'mixed mode HTTP.' This practice can lead to security vulnerabilities and risks for users' data. Additionally, the site's error messages indicated that Tesco was using a server software that was seven years out of date, highlighting operational issues that could contribute to system failures [13466]. |
| Boundary (Internal/External) |
within_system |
(a) within_system:
1. The software failure incident at Tesco Online was primarily due to factors originating from within the system itself. This includes issues such as sending unencrypted passwords by email to users, using outdated browsers in their recommendations, and having security vulnerabilities within their website [13466].
(b) outside_system:
1. There is no specific mention in the articles about the software failure incident at Tesco Online being caused by factors originating from outside the system. The primary focus is on the internal issues and vulnerabilities within Tesco's online platform [13466]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident occurring due to non-human actions:
- The software failure incident at Tesco Online was primarily due to security vulnerabilities and flaws in the website's setup, such as sending unencrypted passwords by email, using outdated browsers, and employing mixed mode HTTP which sent elements of the site insecurely [13466].
(b) The software failure incident occurring due to human actions:
- Human actions also played a role in the software failure incident at Tesco Online. For example, the decision to send passwords in plain text via email, the recommendation of outdated browsers on the website, and the failure to update server software were all human decisions that contributed to the security weaknesses in the system [13466]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident related to hardware:
- The article does not mention any specific hardware-related issues contributing to the software failure incident at Tesco Online. It primarily focuses on security vulnerabilities in the website's software and practices, such as sending unencrypted passwords via email, using outdated browsers, and employing mixed mode HTTP, which compromises security [13466].
(b) The software failure incident related to software:
- The software failure incident at Tesco Online is primarily attributed to software-related factors. This includes sending unencrypted passwords via email, using outdated browsers, employing mixed mode HTTP, and having error messages indicating the use of a server software that is seven years out of date. These software-related issues led to security vulnerabilities and concerns raised by users and security experts [13466]. |
| Objective (Malicious/Non-malicious) |
non-malicious |
(a) The software failure incident reported in the articles is non-malicious. The incident involves security vulnerabilities and flaws in Tesco's online system, such as sending unencrypted passwords via email, using outdated browsers, having mixed mode HTTP on the site, and using an outdated server software. These issues were identified by security experts and users, leading to concerns about the security of customer data and transactions on the website. There is no indication in the articles that these vulnerabilities were introduced with malicious intent to harm the system ([13466]). |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The software failure incident related to poor decisions.
The incident at Tesco Online was primarily due to poor decisions made by the company regarding their security practices. This included sending unencrypted passwords by email to users, recommending outdated browsers like Internet Explorer 3 and Netscape Navigator 3.02, and using mixed mode HTTP on the site after users logged in, leading to insecure elements being sent. Additionally, the site's error messages indicated the use of a server software that was seven years out of date. Despite criticism and warnings from security experts and users, Tesco did not seem to take immediate action to address these security vulnerabilities, showcasing a lack of proactive measures and negligence in ensuring secure online shopping for customers [13466]. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident related to development incompetence is evident in the Tesco Online security incident. The incident involved sending unencrypted passwords by email to users, which is well short of industry standards according to security experts [13466]. Additionally, the Tesco website was found to have security holes, such as recommending outdated browsers like Internet Explorer 3 and using mixed mode HTTP, which is considered negligent in terms of security practices [13466].
(b) The software failure incident also had accidental elements, as highlighted by the inadvertent actions taken by Tesco in sending plaintext passwords to users via email. This action was criticized by users on Twitter, pointing out the risk it posed to users' security if their email accounts were compromised [13466]. Additionally, the use of outdated security practices and failure to update software servers to current standards could be seen as accidental oversights contributing to the incident. |
| Duration |
permanent |
(a) The software failure incident in the Tesco Online case seems to be more of a permanent nature. The article highlights various security holes in Tesco's website, such as sending unencrypted passwords by email, recommending outdated browsers, using mixed mode HTTP after login, and having error messages indicating the use of a server that is seven years out of date. These issues point to underlying systemic problems in Tesco's online security practices, indicating a more permanent failure due to contributing factors introduced by all circumstances [13466]. |
| Behaviour |
value, other |
(a) crash: The incident reported in the articles does not specifically mention a crash where the system loses state and does not perform any of its intended functions. The focus is more on security vulnerabilities related to password handling and website security [13466].
(b) omission: The software failure incident does not involve the system omitting to perform its intended functions at an instance(s). Instead, it revolves around security flaws and inadequate practices related to password handling and website security [13466].
(c) timing: The incident does not relate to the system performing its intended functions correctly but too late or too early. It primarily concerns security vulnerabilities and flaws in Tesco's online platform [13466].
(d) value: The software failure incident is related to the system performing its intended functions incorrectly, particularly in terms of handling passwords and website security. For example, sending unencrypted passwords via email and using outdated security practices [13466].
(e) byzantine: The incident does not involve the system behaving erroneously with inconsistent responses and interactions. It mainly focuses on security vulnerabilities and flaws in Tesco's online platform [13466].
(f) other: The other behavior observed in this software failure incident is related to security vulnerabilities and inadequate practices in handling user passwords and website security. This includes sending unencrypted passwords via email, using outdated browser recommendations, and having security holes in the website's setup [13466]. |