Tala Security’s Global Data at Risk – 2020 State of the Web Report indicates that sensitive data like PII and credit card information has never been more at risk – and security effectiveness is declining, as the vast majority of global brands fail to implement controls to prevent data leakage and theft.
Milpitas, CA (July 14, 2020) –The global pandemic has seen the web take center stage. Banking, retail and other industries have seen large spikes in web traffic, and this trend is expected to become permanent. As attackers ramp up efforts to exploit this crisis, a slew of high-profile attacks on global brands and record-breaking fines for GDPR breaches have had little impact on client-side security and data protection deployments.
Key findings from the Data at Risk – 2020 State of the Web Report highlight the scale of vulnerability and that the majority of global brands fail to deploy adequate security controls to guard against client-side attacks:
- Despite increasing numbers of high-profile breaches, forms, found on 92% of websites expose data to an average of 17 domains. This is PII, credentials, card transactions, and medical records. While most users would reasonably expect this data to be accessible to the website owner’s servers and perhaps a payment clearing house, Tala’s analysis shows that this data is exposed to nearly 10X more domains than intended. Nearly one-third of websites studied expose data to more than 20 domains. This provides some insight into how and why attacks like Magecart, formjacking and card skimming continue largely unabated.
Unfortunately, despite high-profile risks and the availability of controls, there has been no significant increase in the adoption of security capable of preventing client-side attacks:
- Over 99% of websites are at risk from trusted, whitelisted domains like Google Analytics. These can be leveraged to exfiltrate data, underscoring the need for continuous PII leakage monitoring and prevention. This has significant implications for data privacy, and by extension, GDPR and CCPA.
- 30% of the websites analyzed had implemented security policies – an encouraging 10% increase
over 2019. However…
- Only 1.1% of websites were found to have effective security in place – an 11% decline from 2019. It indicates that while deployment volume went up, effectiveness declined more steeply. The attackers have the upper hand largely because we are not playing effective defense.
Solutions are available to mitigate client-side attacks and eliminate PII data leakage. Standards-based security controls, are built-into all modern browsers and are designed specifically to address the vulnerabilities created by modern web architecture, including client-side attacks. Applied and managed correctly, these security standards including Content Security Policy (CSP), Subresource Integrity (SRI) and others will mitigate client-side risk – including zero-day threats offering a future-proof solution with no impact on website performance or user experience. Leveraging tools that complement these capabilities by monitoring and preventing PII and other data leakage provide a comprehensive defense-in-depth approach.
The findings presented in the Global Data at Risk – 2020 State of the Web Report are the result of an aggregate study of the Alexa 1000 to define statistically relevant insights that indicate mass vulnerability to client-side website attacks, such as cross-site scripting (XSS), Magecart, formjacking, user data leakage, content integrity attacks, ad injections and session redirects.
About Tala Security
Tala Security protects hundreds of millions of browser sessions every month from critical and growing threats, such as data leakage, cross-site scripting (XSS), Magecart, website supply-chain attacks, clickjacking and others. It does this by automating the deployment and dynamic adjustment of browser- native, standards-based security controls such as Content Security Policy (CSP), Subresource Integrity (SRI), HTTP Strict Transport Security (HSTS) and other web security standards. The activation of browser- native security controls provide comprehensive security without requiring any changes to the application code and with almost no impact to website performance. Tala serves large website operators in verticals such as financial services, online retail, payment processing, hi-tech, fintech and education.
British Airways was fined $230m under GDPR for a data breach caused by a Magecart attack.