European telcos inadvertently expose sensitive customer data to over-sharing and theft


Mobile providers in Europe gather a lot of highly sensitive information from customers. Are they doing enough to protect it? 

Tala analyzed the websites of the top MSPs in 7 EU countries. What we found is that unintentional data exposure is a significant, unaddressed problem for them and, by extension, more than 235 million customers who sign up for their services and share sensitive personal data. At the heart of the problem: insecure website supply chains. 

All the user experience, none of the security? 

For a variety of good reasons, European telcos gather sensitive data like passport numbers, payslips and banking details as part of the online sign-up process. But what happens when the third party code they use to deliver a rich user experience places that sensitive data at risk from over-sharing and theft? 

Tala’s analysis indicates that, not only are European telco websites inadequately protected from third party risk, their use of large numbers of third party JavaScript integrations exposes them to significant risk:

  • Sensitive data is at significant risk via form data exposure – Forms used to capture credentials, banking details, passport numbers, etc. are exposed to an average of 19 third parties. 
  • None of the sites had effective web security in place: On a 100 point scale where a score of 50 indicates limited control, the average within this group was 4.5
  • 100% of the websites are vulnerable  to cross-site scripting (XSS) – the most widespread website attack, which frequently results in significant sensitive data leakage
  • The highest number of third party JavaScript  integrations found on a single site was 735; the average was 162. 

Why it matters

Unintentional data exposure is a significant, unaddressed problem for 100% of the European mobile service providers Tala analyzed.

Without control, every piece of JavaScript code running on websites – from every single vendor included in the website owner’s supply chain – can modify, steal or leak information through client-side attacks enabled by JavaScript. Telcos in this group had an average of 162 3rd party JavaScript integrations; that’s a lot of over-sharing and data exposure risk.  When website owners fail to secure data as it’s entered into their websites, they’re effectively leaving it hanging; the only reason it’s not being stolen is that criminals haven’t taken it. Yet. 

Tala’s research indicates that, while most online businesses do a great job of protecting data after the user has entered it, few seem to be aware of data leakage as an unintended consequence of the dynamic, rich website experience telcos are known for. This has potentially far-reaching consequences for GDPR – and for the customers themselves. To learn more about Tala’s research, download your copy of Tala’s European Mobile Service Providers Security Report: Unlimited Calls, Texts, Data (sharing), Magecart


How Tala helps

Tala prevents sensitive data theft, over-sharing and client-side attacks like Magecart, XSS, code injections, website supply chain attacks  and session re-directs. Our Tala Protect and Tala Detect platforms are unique in providing comprehensive information flow analysis – along with the means to control it. Learn more about our technologies here. 

*** This is a Security Bloggers Network syndicated blog from Tala Blog authored by Deepika Gajaria, VP of Products. Read the original post at: