Wandera, a mobile security provider, has discovered 16 companies that leave their customers’ personally identifiable information exposed. The companies fail to encrypt all or part of their payment processes on mobile websites and apps, exposing their customers’ credit card details along with other data. The four airlines identified are Air Canada, Aer Lingus (Ireland), AirAsia, and easyJet (UK). The researchers note that easyJet has already addressed and remediated the issue and that the information exposed by Air Canada does not include the credit card’s CVV code. Additional companies affected by this vulnerability include American Taxi, Chiltern Railways and tourist attractions such as Toronto’s CN Tower and the San Diego Zoo. Combined, the affected companies serve up to half a million customers a day.  

This vulnerability is a failure on the part of the companies to encrypt customer information sent to and from the payment portions of their mobile sites or apps. In addition to payment information (all of the affected companies exposed full credit card numbers), some companies also left the credit card expiration date, full name, billing address, email address and passport details equally exposed. The risk of personally identifiable information and credit card details left unencrypted in transit, particularly on mobile devices, is that such unencrypted traffic could potentially be intercepted. As it is being transmitted without encryption, any such interception would gain immediate access to the clear alphanumeric text version of the information. When such data is encrypted, the encryption safeguards the information if it has been lost, stolen, or intercepted, as it has been concealed and would have to be unencrypted to be of use to a cybercriminal. 

As the affected companies offer transportation or tourist services, it’s likely that many of their customers rely on their mobile devices to access their websites and applications. Encryption safeguards data in transmission which carries additional risks on mobile devices, making this a notable vulnerability. The researchers note that in some cases, the identified vulnerabilities are “limited to a small number of pages within the site that are unencrypted, and seemingly have slipped through the development process, such as the upgrade payment pages.” They point out the importance of securing “the whole end-to-end service, and not just the front door, or the main site where users buy tickets.”