Websites are still collecting personally identifiable information (PII) without decent web security, including using the HTTP protocol, collecting in clear text and on websites with expired or misconfigured certificates.
According to the research by RiskIQ across 48,949 active financial services organization websites, of 4512 sites capturing PII through data entry points accessible by site visitors, 11.5% of these sites (522 sites) are capturing PII insecurely.
While this is down from the 27% of sites identified a year ago, this equates to an average of 52 sites per organization which are collecting names, addresses and dates of birth.
In an email to Infosecurity, Mishcon de Reya data protection advisor Jon Baines said that the results indicate that despite a slight increase in security compliance since GDPR became applicable, there remain worrying gaps, particularly in some of the sectors which the public should reasonably expect to have most confidence in.
“The results certainly point to failures to comply with the security principle of GDPR, the extent to which these are serious failings, of the kind which might warrant regulatory action, will depend on the individual facts of the cases,” he said.
“It would be interesting to know if the organizations are even aware, and if they are, whether any will report these breaches (as arguably they should) to the Information Commissioner’s Office.”
RiskIQ said that of 3940 public websites with a login page, 442 of these sites (11%) capture login information insecurely.
“This research shows that organizations are continuing to make progress in ensuring that personal data entered online is collected in a secure manner,” said Fabian Libeau, VP EMEA at RiskIQ.
“However, that we still see instances serves to highlight that there is more to be done. Most organizations are continuing to expand their web presence and it's vitally important that they maintain a complete inventory of those sites and the PII collecting pages they contain.”
Jonathan Armstrong, partner at Cordery, said that there is a wide definition of what “personal data” is.
He argued that the issue here isn’t just that companies are collecting the data when they likely don’t need it – although this is problematical – it is that they’re not securing it in transit and once they have it. “This double whammy is likely to put any of these organizations into more trouble with a data protection regulator – especially if they’re also not being transparent about what they are collecting, why they are doing with it and how they’re keeping it safe,” he added.
“Website users have higher demands than they did even a year ago and the level of complaints is up right across the EU. Any organization which isn’t addressing this as an issue is likely just storing up problems.”