Flaws in the mobile websites of major firms operating in the UK including easyJet, Aer Lingus and Chiltern Railways have resulted in sensitive user data being transmitted without encryption, according to mobile security firm Wandera.
It said an investigation, which started roughly two weeks ago, identified 16 companies that have put customer information at risk by exposing credit card details, names, addresses and transaction information.
The flaw, dubbed ‘CardCrypt', is said to affect websites not using HTTPS to secure and encrypt data when in transit from mobile devices and smartphones. According to Wandera, this leaves data at risk of man-in-the-middle attacks or identity fraud.
"We started investigating our data because we wanted to see if there was any sign of any credit card information," Eldar Tuvey, chief executive and co-founder at Wandera, told V3.
"We actually found lots of unencrypted credit card information that has been going through our service, which means that a variety of these sites we believe have not coded their mobile websites correctly.
"What we are talking about here is complete credit card information with the three-digit code, and expiry date, and in some cases passport information, car registrations, addresses, phone numbers. But the common factor is complete credit card information.
"It's an HTTPS problem so the traffic from particular parts of their mobile websites is being unencrypted. Whether it's bad coding, certificate misconfiguration or lack of testing, I can only hypothesise but we believe it's probably an oversight on their part due to complexity."
He added: "It's mostly mobile sites but it's some apps too."
However, easyJet has strongly denied that its customer data is at risk. A spokesperson told V3: "All passenger data is encrypted using HTTPS and we have retested all our systems overnight which verified that they are fully secure.
"EasyJet takes the security of its passengers' data extremely seriously using the latest technology alongside regular audits to test our systems to ensure our customers' data remains protected.
"In addition, no easyJet customers have reported payment security issues based on their use of the easyJet app. Our security experts have contacted Wandera and they are yet to provide further information.
"Additionally, our app supplier MTT has undergone rigorous PCI compliance audits and is fully PCI Certified."
Wandera later confirmed that the issue had been resolved by easyJet.
“As of a call with easyJet that concluded at 14.05 on Wednesday 9 December, Wandera is pleased to say that it easyJet has confirmed that this is no longer an ongoing issue," Tuvey said in a statement.
Both Aer Lingus and Chiltern Railways have also refuted the claims made by Wandera.
An Aer Lingus spokesperson told V3: "Having contacted Wandera and investigated the matters they raised we are confident that their concerns are unfounded."
While Thomas Ableman, commercial director at Chiltern Railways said: "We are grateful to Wandera for raising this issue. As it happens, we had already identified this issue through our internal processes. We are confident that no customers' data has been compromised and our supplier has already put in place a full fix to ensure that the theoretical risk is eliminated.
"We take the security of our passengers' data very seriously, as you would expect, and constantly test our systems."
It appears the problem is not confined to the UK, with Wandera also claiming to find suspected flaws in the mobile websites of Air Canada, American Taxi and San Diego Zoo.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers