Lack of compliance is leaving customer data vulnerable

Hard on the heels of last week's TalkTalk breach, another British utility company, British Gas, has contacted over 2,000 customers to warn them that their email addresses and passwords have been posted online.

Yet according to information security company High-Tech Bridge many large companies could be leaving customer data at risk via their websites.

The company ran its free SSL checker tool on both the TalkTalk and British Gas sites and in each case revealed a lack of compliance with PCI DSS and NIST guidelines.

HT Bridge results

It has published a report on scans of web servers of 161 companies from the Forbes Global 2000 list. Among its findings are that 19.4 per cent of the servers supporting HTTPS have an untrusted certificate, 34 per cent have Always-On SSL enabled and 26 per cent have an Extended Validation (EV) certificate. In addition 18.5 per cent are still vulnerable to POODLE over SSL, and only 12 per cent have configuratiosns compliant with PCI DSS requirements 2.3 and 4.1.

"Appropriate data encryption is becoming a vital part of our everyday life," says Ilia Kolochenko, CEO of High-Tech Bridge. "Many security standards and federal laws require implementing strong data encryption to protect customers’ data. This is why at High-Tech Bridge we decided to launch a free service to enable anyone to test his or her server security in simple, fast and reliable manner.

"We are collaborating with many globally-recognised security organisations, such as OTA and ITU, to deliver the best quality of testing, and we are open to collaborate with the industry and individuals to continuously improve the service".

Full details of the scan results can be found on the on the High-Tech Bridge blog.

Photo Credit: Yuriy Boyko/Shutterstock