Some of Britain’s biggest travel and leisure firms have been putting their customers’ details at risk due to insecure mobile websites and apps, it has been claimed.
Brands including Aer Lingus and Chiltern Railways are sending unencrypted data when customers access their sites from their smartphones, according to security firm Wandera.
Information such as credit card information, names and addresses, passport details, purchase data and other contact information has all been put at risk by sixteen leading companies, which also range from taxi firms to giftcard and event ticket providers.
Wandera has notified all the companies, which deal with a combined 500,000 customers per day, about the vulnerability, and has already removed easyJet from the affected list after the airline that the issue had been solved.
This means that the credit card information is instead transmitted ‘in the clear’, or unencrypted, over standard web connections i.e. HTTP. This weakness makes the data freely available to be easily intercepted and used in wide-ranging identity theft and fraud.
The unencrypted data was leaked when customers when users accessed a mobile website and app during the purchase and upgrade processes, for example when booking a ticket or choosing a seat.
For example, complete credit card data and customer billing addresses were sent unencrypted to the Aer Lingus website during the booking process.
“We believe there are two likely reasons why HTTPS has not been used,” comments Eldar Tuvey, CEO Wandera.
“It could be a flaw in the coding, or it could be a case of relying on inadequate third party services or libraries. Either way, it’s astounding to me that these companies have failed to exercise sufficient care in the collection of their customers’ personal data.”
Are you a security pro? Try our quiz!
Most people in the United States view TikTok as a Chinese influence tool a poll…
UK regulator confirms it is investigating whether OnlyFans is doing enough to prevent children accessing…
Dismissed staff file complaint with a US labor board, and allege Google unlawfully terminated their…
Elon Musk dismisses two senior Tesla executives, plus the entire division that runs Tesla's Supercharger…
Eight newspaper publishers in the US allege Microsoft and OpenAI used their millions of their…
US judge sentences Binance founder, Changpeng Zhao, to four months in prison for ignoring money…