According to data protection and privacy company Tala, sensitive data pertaining to customers of top mobile service providers in the European Union is at risk due to poorly protected websites.
An examination of the websites of 13 of the EU’s largest mobile telecom companies showed that none of them have even the bare minimum of security measures in place to be considered stable.
“Despite having a combined customer base of over 235 million, none of the mobile carriers received a passing grade for website security. “No one of the mobile providers examined comes close to a score of 80+, where 50 is barely a passing grade,” Tala writes in a new survey.
Despite the lack of adequate website security, telcos collect a large amount of confidential data from their customers during online sign-up, including names, emails, addresses, dates of birth, passport numbers, payslips, and in some cases, banking information.
Tala believes that all of the data collected could be exploited as a result of bugs and the use of third-party code: the average number of JavaScript integrations was found to be 162, and forms were found to be exposed to an average of 19 third parties.
The report shows that all of the websites use dangerous JavaScript functions, which allow cross-site scripting (XSS), the most common form of website vulnerability. There were 735 JavaScript integrations on a single platform, which was the most.
Customers’ personal information is potentially exposed by the forms used to collect data on these mobile operators’ websites, as these link to a wide number of domains, exposing widespread data sharing, “25 percent more than the global Alexa 1000 average for websites,” according to Tala.
“When website owners struggle to protect data as it is entered into their websites, they are essentially hanging it; the only reason it hasn’t been hacked is that criminals haven’t taken it. “Yet,” the firm stresses.
According to the findings, none of the examined websites had the requisite safeguards in place to avoid unintended data leakage, and any third-party code running on the site could be used to “modify, steal, or leak information via client-side attacks allowed by JavaScript,” according to the study.
While most data exchange took place via whitelisted, legal applications, the website owner wasn’t always aware of the types of data collected or the scope of the data collection.
“Even whitelisted apps can be used to steal data, posing serious concerns about data protection and, by extension, GDPR. Unfortunately, the review shows that none of the EU telcos examined here are sufficiently aware of the threat,” Tala says.
