Sensitive data, like personally identifiable information (PII) and credit card information, has never been more at risk, while security is becoming less effective, new research shows.
The vast majority of global brands fail to implement controls to prevent data leaks and theft, according to a report from Tala Security. The firm conducted an aggregate study of the Alexa 1000 to define statistically relevant insights that indicate mass vulnerability to client-side website attacks, like cross-site scripting (XSS), Magecart, formjacking, user data leakage, content integrity attacks, ad injections and session redirects.
With the global pandemic placing the web center stage, banking, retail and other industries have seen immense spikes in web traffic – a trend experts say will become permanent. Cyber attackers themselves have ramped up efforts to exploit the crisis. But despite countless precedents and record-breaking fines under data-protection legislation (i.e. GDPR), breaches continue to occur as businesses fail to deploy or correctly implement data protection.
Client side a primary attack vector for website attacks
In another key finding, forms found on 92% of high-profile websites expose data to an average of 17 domains.
“This is PII, credentials, card transactions, and medical records,” the researchers said. “While most users would reasonably expect this data to be accessible to the website owner’s servers and perhaps a payment clearing house, Tala’s analysis shows that this data is exposed to nearly 10X more domains than intended. Nearly one third of websites studied expose data to more than 20 domains. This provides some insight into how and why attacks like Magecart, formjacking and card skimming continue largely unabated.”