Websites Continue to Collect PII Data Insecurely
Websites are still collecting personally identifiable information (PII) without decent web security, including using the HTTP protocol, collecting in clear text and on websites with expired or misconfigured certificates.
According to the research by RiskIQ across 48,949 active financial services organization websites, of 4512 sites capturing PII through data entry points accessible by site visitors, 11.5% of these sites (522 sites) are capturing PII insecurely.
While this is down from the 27% of sites identified a year ago, this equates to an average of 52 sites per organization which are collecting names, addresses and dates of birth.
In an email to Infosecurity, Mishcon de Reya data protection advisor Jon Baines said that the results indicate that despite a slight increase in security compliance since GDPR became applicable, there remain worrying gaps, particularly in some of the sectors which the public should reasonably expect to have most confidence in.
“The results certainly point to failures to comply with the security principle of GDPR, the extent to which these are serious failings, of the kind which might warrant regulatory action, will depend on the individual facts of the cases,” he said.
“It would be interesting to know if the organizations are even aware, and if they are, whether any will report these breaches (as arguably they should) to the Information Commissioner’s Office.”
RiskIQ said that of 3940 public websites with a login page, 442 of these sites (11%) capture login information insecurely.
“This research shows that organizations are continuing to make progress in ensuring that personal data entered online is collected in a secure manner,” said Fabian Libeau, VP EMEA at Risk ..