Upwards of 500,000 people’s credit data leaked by apps daily

HTTP Encryption Flaw

Security firm Wandera has just released a report detailing findings that at least 16 companies, with a combined 500,000 daily users, have mobile websites and apps that offer insufficient encryption of customer credit data including names, addresses and transaction information—exposing users to leaks and malicious hacks.

The offending companies range from airlines EasyJet and Aer Lingus to the San Diego Zoo and the TriBeCa Med Spa in Manhattan. All the companies involved had a flaw in their use of encryption—dubbed “CardCrypt”—which affect websites not using HTTPS to secure and encrypt data when in transit from mobile devices and smartphones. Even more troubling was the fact many of the companies involved seemed unaware of the vulnerabilities prior to the announcement.

“We were very surprised when we found [the vulnerability] in the first place,” says Wandera CEO and co-founder Eldar Tuvey. “We had been looking for man-in-the-middle attacks or jailbroken phones…password leaks or username leaks. We didn’t think we would find any credit card data.”

Wandera provides mobile security services for clients including Bloomberg, Office Depot, and NATO by channeling all Internet data through their private servers and using A.I. process automation software and sophisticated algorithms analyze the data for patterns that indicate a cyber attack or employees going to NSFW destinations. Discovering the fault encryption was an accident—but Wandera warns that the vulnerabilities may be more common than even they know.

“If in our data that we do see we found this much, I’m assuming that in all the other data that we don’t see there’s just as many if not more,” says Tuvey. This references the fact that Wandera only handles roughly 2 percent of the net’s total traffic, meaning that countless other websites and companies could be leaking consumer credit data without even knowing it.