RiskIQ finds the UK’s top financial services organisations still collecting PII insecurely

10-May-2019

One year after the EU General Data Protection Regulation (GDPR) went into effect, RiskIQ, the digital attack surface management leader, has discovered that 1 in 10 PII capturing websites belonging to the top 10 UK financial services organisations are still doing so without adequate security measures, potentially breaching GDPR guidelines. While this is down from the 27% of sites identified a year ago, it is still far from the required 0%.

Across 48,949 active websites, RiskIQ research found that out of 4,512 sites capturing PII through data entry points accessible by site visitors, 11.5% of these sites (522 sites) are capturing PII insecurely. This equates to an average of 52 sites per organisation.

A PII capturing website is one which accepts user input that can identify an individual. Examples of PII include input data such as name, address, date of birth, email address and login credentials.  In addition to web pages with data entry fields, the research also extends to pages with iframes and pop-up windows that populate during a browser session and accept data. RiskIQ identifies these by referencing the Document Object Model (DOM) of each page of a web site. This method is language agnostic and identifies PII capture regardless of the site language.

RiskIQ research found:

  • Out of 3,940 public websites with a login page, 442 of these sites (11%) capture login information insecurely

  • Out of 572 sites capturing PII through data entry fields accessible by site visitors, 80 of these sites (14%) are capturing personal information insecurely

Insecure sites are defined as those websites that capture data in clear text using the HTTP protocol or sites with certificate issues, such as expired certificates, misconfigured certificates or using old and untrusted certificates. The findings highlight one of the key challenges businesses face in the protection of PII, as required by GDPR.

“This research shows that organisations are continuing to make progress in ensuring that personal data entered online is collected in a secure manner,” said Fabian Libeau, VP EMEA at RiskIQ. “However, that we still see instances serves to highlight that there is more to be done. Most organisations are continuing to expand their web presence and it's vitally important that they maintain a complete inventory of those sites and the PII collecting pages they contain.”