It’s now been a year since the E.U. General Data Protection Regulation (GDPR) went into effect, and RiskIQ has found that one in 10 PII-capturing websites belonging to the top-ten U.K. financial services organizations are still doing so without adequate security measures.
Most of these organizations are continuing to expand their web presence. However, with penalties up to 4 percent of annual global turnover for breaching GDPR guidelines, it's vital that they maintain a complete inventory of their websites and the PII-collecting pages they contain. Given the material damages of non-compliance, not doing so is a dangerous game of chicken.
A PII capturing website is one which accepts user input that can identify an individual. Examples of PII include input data such as name, address, date of birth, email address and login credentials. In addition to web pages with data entry fields, the research also extends to pages with iframes and pop-up windows that populate during a browser session and accept data. RiskIQ identifies these by referencing the Document Object Model (DOM) of each page of a website. This method is language agnostic and identifies PII capture regardless of the site language.
While these numbers are down from the 27 percent of sites we identified a year ago, it is still far from the required 0 percent. This demonstrates that while organizations are continuing to make progress in ensuring that personal data entered online is collected securely, there's a lot of work to be done. Across 48,949 active websites, RiskIQ research found that out of 4,512 sites capturing PII through data entry points accessible by site visitors, 11.5 percent of these sites (522 sites) are capturing PII insecurely, equating to an average of 52 sites per organization.
Insecure sites are defined as those websites that capture data in clear text using the HTTP protocol, or sites with certificate issues, such as expired certificates, misconfigured certificates or using old and untrusted certificates. The findings highlight one of the key challenges businesses face in the protection of PII, as required by GDPR.
- Out of 3,940 public websites with a login page, 442 of these sites (11 percent) capture login information insecurely
- Out of 572 sites capturing PII through data entry fields accessible by site visitors, 80 of these sites (14 percent) are capturing personal information insecurely
GDPR is a Global Issue
While many organizations see this as an EU-only regulation, in reality, the onus is on any organization that collects, stores, and uses personal information about an E.U. citizen. To avoid penalties, you need a comprehensive understanding of your digital footprint—all of the various internet-exposed assets that belong to your organization. You must also be able to discover which external assets collect PII, including a user's name, phone number, address, social media presence, photos, lifestyle preferences, location data, and even their I.P. address.
Sounds straightforward, but for multinational companies with extensive web infrastructure, just compiling and assessing site details is often fraught with gaps and inaccuracies. For example, when looking at 25 of the 50 largest banks in the U.S. (2017), the RiskIQ Threat Research team discovered that 68 percent of the banks had significant security gaps in PII collection.
RiskIQ Can Help
RiskIQ Digital Footprint can help with GDPR compliance by identifying websites within an organization's footprint that collect and process PII. Digital Footprint's PII/GDPR Analytics provides organizations with the capability to discover, inventory, and assess websites, apps, and infrastructure where PII is captured and processed, and identify and assess PII-collecting website exposures: notices, forms, SSL certificates, frameworks. It can also verify the security of PII-collecting websites with SSL certificates and encryption.