Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
It’s now been a year since the E.U. General Data Protection Regulation (GDPR) went into effect, and RiskIQ has found that one in 10 PII-capturing websites belonging to the top-ten U.K. financial services organizations are still doing so without adequate security measures.
Most of these organizations are continuing to expand their web presence. However, with penalties up to 4 percent of annual global turnover for breaching GDPR guidelines, it’s vital that they maintain a complete inventory of their websites and the PII-collecting pages they contain. Given the material damages of non-compliance, not doing so is a dangerous game of chicken.
A PII capturing website is one which accepts user input that can identify an individual. Examples of PII include input data such as name, address, date of birth, email address and login credentials. In addition to web pages with data entry fields, the research also extends to pages with iframes and pop-up windows that populate during a browser session and accept data. RiskIQ identifies these by referencing the Document Object Model (DOM) of each page of a website. This method is language agnostic and identifies PII capture regardless of the site language.
While these numbers are down from the 27 percent of sites we identified a year ago, it is still far from the required 0 percent. This demonstrates that while organizations are continuing to make progress in ensuring that personal data entered online is collected securely, there’s a lot of work to be done. Across 48,949 active websites, RiskIQ research found that out of 4,512 sites capturing PII through data entry points accessible by site visitors, 11.5 percent of these sites (522 sites) are capturing PII insecurely, equating to an average of 52 sites per organization.
Insecure sites are defined as those websites that capture data in clear text using the HTTP protocol, or sites with certificate issues, such as expired certificates, misconfigured certificates or using old and untrusted certificates. The findings highlight one of the key challenges businesses face in the protection of PII, as required by GDPR.
While many organizations see this as an EU-only regulation, in reality, the onus is on any organization that collects, stores, and uses personal information about an E.U. citizen. To avoid penalties, you need a comprehensive understanding of your digital footprint—all of the various internet-exposed assets that belong to your organization. You must also be able to discover which external assets collect PII, including a user’s name, phone number, address, social media presence, photos, lifestyle preferences, location data, and even their I.P. address.
Sounds straightforward, but for multinational companies with extensive web infrastructure, just compiling and assessing site details is often fraught with gaps and inaccuracies. For example, when looking at 25 of the 50 largest banks in the U.S. (2017), the RiskIQ Threat Research team discovered that 68 percent of the banks had significant security gaps in PII collection.
RiskIQ Digital Footprint can help with GDPR compliance by identifying websites within an organization’s footprint that collect and process PII. Digital Footprint’s PII/GDPR Analytics provides organizations with the capability to discover, inventory, and assess websites, apps, and infrastructure where PII is captured and processed, and identify and assess PII-collecting website exposures: notices, forms, SSL certificates, frameworks. It can also verify the security of PII-collecting websites with SSL certificates and encryption.
For more information about how RiskIQ can help with GDPR compliance, please download our white paper and datasheet.
We're #ThreatHunting in D.C.! The #infosec community is out in force to learn how to supercharge their investigations with RiskIQ's advanced data sets inside the @PassiveTotal platform.
Via @Forbes, RiskIQ research finds over 18,000 websites infested with #Magecart card-skimming #malware https://t.co/dKSfziG3dr #ecommerce
Just Launched! Adam Hunt of @riskIQ and Fredrik Nilsson of @axisipvideo discuss #cybersecurity, #IoT, and the threat of regulatory fines from #dataprivacy breaches on the latest Inside @ForbesCouncils #podcast! https://t.co/G0UoPfQCHf