Websites of EU Mobile Providers Fail to Properly Secure User Data: Report
Sensitive data pertaining to the customers of top mobile services providers in the European Union is at risk of compromise due to improperly secured websites, data security and privacy firm Tala reveals.
An analysis of the websites of 13 of the top mobile telecom companies in the EU has revealed that none of them has in place even the minimum necessary protections to be considered secure.
“With over 235 million customers between them, none of the mobile providers scored a passing grade for website security. Where a score of 80+ is considered reasonable and 50 is barely a passing grade, none of the mobile providers analyzed comes close,” Tala says in a new report.
Despite the lack of proper website protections, however, during online sign-up, the telcos collect a significant amount of sensitive data from their customers, including names, emails, addresses, dates of birth, passport numbers, payslips, and even banking details in some cases.
The sensitive data that customers enter on the websites of these mobile opertors is also potentially exposed through the forms employed to gather the data, as these connect to a large number of domains, revealing extensive data sharing, “25% more than the global Alexa 1000 average for websites,” Tala notes.
“When website owners fail to secure data as it is entered into their websites, they’re effectively leaving it hanging; the only reason it’s not being stolen is that criminals haven’t taken it. Yet,” the company points out.
While the data sharing in most cases was done through whitelisted, legitimate applications, the website owner wasn’t always aware of the type of data that these applications would collect, or the extent of the data collection.
“Even whitelisted apps can be exploited to exfiltrate data, with significant implications for data privacy, and by extension, GDPR. Unfortunately, the analysis indicates that none of the EU telcos analyzed here has sufficient awareness of the risk,” Tala notes.