Mobile providers in Europe gather a lot of highly sensitive information from customers. Are they doing enough to protect it?
Tala analyzed the websites of the top MSPs in 7 EU countries. What we found is that unintentional data exposure is a significant, unaddressed problem for them and, by extension, more than 235 million customers who sign up for their services and share sensitive personal data. At the heart of the problem: insecure website supply chains.
All the user experience, none of the security?
For a variety of good reasons, European telcos gather sensitive data like passport numbers, payslips and banking details as part of the online sign-up process. But what happens when the third party code they use to deliver a rich user experience places that sensitive data at risk from over-sharing and theft?
- Sensitive data is at significant risk via form data exposure – Forms used to capture credentials, banking details, passport numbers, etc. are exposed to an average of 19 third parties.
- None of the sites had effective web security in place: On a 100 point scale where a score of 50 indicates limited control, the average within this group was 4.5
- 100% of the websites are vulnerable to cross-site scripting (XSS) – the most widespread website attack, which frequently results in significant sensitive data leakage
Why it matters
Unintentional data exposure is a significant, unaddressed problem for 100% of the European mobile service providers Tala analyzed.
Tala’s research indicates that, while most online businesses do a great job of protecting data after the user has entered it, few seem to be aware of data leakage as an unintended consequence of the dynamic, rich website experience telcos are known for. This has potentially far-reaching consequences for GDPR – and for the customers themselves. To learn more about Tala’s research, download your copy of Tala’s European Mobile Service Providers Security Report: Unlimited Calls, Texts, Data (sharing), Magecart?
How Tala helps
Tala prevents sensitive data theft, over-sharing and client-side attacks like Magecart, XSS, code injections, website supply chain attacks and session re-directs. Our Tala Protect and Tala Detect platforms are unique in providing comprehensive information flow analysis – along with the means to control it. Learn more about our technologies here.
*** This is a Security Bloggers Network syndicated blog from Tala Blog authored by Deepika Gajaria, VP of Products. Read the original post at: https://go.talasecurity.io/blog/european-telcos-inadvertently-expose-sensitive-customer-data