Some of Britain’s biggest travel and leisure firms have been putting their customers’ details at risk due to insecure mobile websites and apps, it has been claimed.
Brands including Aer Lingus and Chiltern Railways are sending unencrypted data when customers access their sites from their smartphones, according to security firm Wandera.
Information such as credit card information, names and addresses, passport details, purchase data and other contact information has all been put at risk by sixteen leading companies, which also range from taxi firms to giftcard and event ticket providers.
Wandera has notified all the companies, which deal with a combined 500,000 customers per day, about the vulnerability, and has already removed easyJet from the affected list after the airline that the issue had been solved.
This means that the credit card information is instead transmitted ‘in the clear’, or unencrypted, over standard web connections i.e. HTTP. This weakness makes the data freely available to be easily intercepted and used in wide-ranging identity theft and fraud.
The unencrypted data was leaked when customers when users accessed a mobile website and app during the purchase and upgrade processes, for example when booking a ticket or choosing a seat.
For example, complete credit card data and customer billing addresses were sent unencrypted to the Aer Lingus website during the booking process.
“We believe there are two likely reasons why HTTPS has not been used,” comments Eldar Tuvey, CEO Wandera.
“It could be a flaw in the coding, or it could be a case of relying on inadequate third party services or libraries. Either way, it’s astounding to me that these companies have failed to exercise sufficient care in the collection of their customers’ personal data.”
Are you a security pro? Try our quiz!
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
New chapter for LastPass as it becomes an independent company to focus on cybersecurity, after…
US FCC seeks to ban Chinese telecom firms at centre of national security concerns from…
Two updates to Anthropic's AI chatbot Claude sees arrival of a new business-focused plan, as…