The Wandera 2017 Mobile Leak Report, a global analysis of almost 4 billion requests across hundreds of thousands of corporate devices, found more than 200 mobile websites and apps leaking personally identifiable information across a range of categories – including those that are essential for work.
Most notably, the study revealed:
- More than 59 percent of all the leaks identified were from just three categories: news and sports, business and industry and shopping.
- Among leaked mobile sites and apps were well-known sites such as ESPN Fantasy Rugby, Fox Sports and Royal Mail
- A vast majority of leaks included sensitive information such as email/username (90 percent) and password/hash (86 percent)
- 80 percent of the top 50 adult sites were leaking some form of PII.
I spoke with Michael Covington, vice president of Product at Wandera, about the report and what it means for both businesses and consumers.
What is the Mobile Leak Report?
The Mobile Leak Report is a summary of research that uncovered more than 200 well-known and reputable digital services responsible for exposing sensitive consumer and enterprise information. These “data leaks” are particularly relevant to mobile users because the primary culprits were apps and mobile-tailored websites that failed to protect the sensitive information as it was in transit.
In your opinion, what was the biggest “take away” from this report?
For me, the biggest take away from the report is a realization of how critical end-to-end visibility can be when assessing security risk. Most organizations have no visibility at the data level of how a corporate mobile device is being used. Simply understanding the risks is an essential first step to plugging the holes.
I’m fairly confident that most users assume mobile apps and websites will protect their sensitive information; sadly, this report shows that those assumptions are flat out wrong. We found that these 200+ leaks were coming from devices in more than 20 countries that were using apps, websites and mobile websites – it seemed that no one was spared.
The information at risk included credit card details, dates of birth, addresses, home phone numbers and passport information. Overall, it was a staggering amount of detailed information that was being exposed.
Without some end-to-end visibility that could expose these leaks, most organizations are flying blind and have no idea how much they, or their employees, are exposed.
What was the most shocking discovery within this report?
In my opinion, the biggest shock contained within this report was the fact that so many mainstream apps were leaking the private information of the users and organizations that trusted them with this data in the first place.
Our research shows that this problem is not isolated to a particular category or service domain. The fact that the data leaks are so broad and span geographies is what I found most disturbing.
With data leaks being so broad, what can be done to mitigate these risks?
First, companies that publish apps and maintain online services should have a security development lifecycle practice that considers security and privacy requirements early in the development process. These same organizations should also be going thorough security audits on a regular basis to ensure that their security requirements continue to be met.
Secondly, companies with mobile users who utilize apps to handle sensitive data need to have tools in place to manage security risk. We have seen several instances where even the official app stores have been plagued by malicious apps, fake apps and apps that simply fail to protect the privacy of sensitive information.
Companies that are embracing mobility must have a plan in place to deal with security issues when—not if—they occur.
What is your advice to consumers on reducing leaks or protecting themselves from these mobile leaks when using their favorite apps?
Enterprise security teams are usually the most organized when it comes to assessing their overall risk exposure, largely due to investment in third-party tools and services to help manage that risk.
For consumers, however, it is difficult because there is no visual cue on an app that indicates when a connection is secured.
Consumers can take some basic steps to help protect themselves. I recommend that mobile end users spend time reviewing app store comments and at least limit their downloads to the official app stores so they can minimize their overall risk exposure.
What other steps need to be taken to address data leaks?
When it comes to data leaks, the biggest change that’s needed is with the publishers and owners of content. Whether you are a major sports news website or a train operator or an online streaming music service, you absolutely must consider security and privacy as part of the transaction with your users.
Time-to-market is important, but rushing an app through the review process or launching a mobile website before it’s been tested is a mistake because it could put your users—not to mention your brand—at risk.
Editor’s note: For more on data breaches and their impact, please see the Internet Society’s 2016 Global Internet Report.