These Are The Mobile Sites Leaking Credit Card Data For Up To 500,000 People A Day

Security firm says companies such as EasyJet and the San Diego Zoo weren’t using basic encryption, affecting half a million daily users.

These Are The Mobile Sites Leaking Credit Card Data For Up To 500,000 People A Day
[Photo: Flcikr user frankieleon]

It’s e-commerce 101: A company has to encrypt your credit card data when you buy something online. Yet security company Wandera just found at least 16 companies, with a combined 500,000 daily users, who are not always encrypting data—specifically not on their mobile websites and, in some cases, their apps. Offenders range from giants like airlines EasyJet and Aer Lingus to the San Diego Zoo and the TriBeCa Med Spa in Manhattan. Data sent “in the clear” include credit card numbers, birth dates, and passport numbers. The kicker: Wandera has had a difficult time getting in touch with several of these companies to warn them ahead of announcing the vulnerabilities today.


Several companies involved, including Aer Lingus, CN Tower and easyJet, dispute Wandera’s findings. Wandera claims that easyJEt has since fixed the problem; and Fast Company is awaiting Wandera’s response to all the companies’ claims.

“We were very surprised when we found [the vulnerability] in the first place,” says Wandera CEO and cofounder Eldar Tuvey. ” His two-and-a-half year old company provides mobile security services for very large clients including Bloomberg, Office Depot, and NATO by channeling all Internet data through Wandera’s servers. Artificial intelligence algorithms analyze the data for patterns that indicate a cyber attack or employees going to NSFW destinations, like porn or gambling sites. Faulty website encryption wasn’t even on the company’s radar, he says, but it showed up in their analysis. “We had been looking for man-in-the-middle attacks or jailbroken phones…password leaks or username leaks,” says Tuvey. “We didn’t think we would find any credit card data.”

Tuvey suspects that the problem may go well beyond the 16 companies they have found so far (listed at the end of this article). With a few hundred clients, he estimates that Wandera sees only about 2% of the world’s mobile traffic. “If in our data that we do see we found this much, I’m assuming that in all the other data that we don’t see there’s just as many if not more,” says Tuvey.

Amazon (above) uses HTTPS encryption. The San Diego Zoo (below) does not.

The rookie mistake is that these companies are using the regular http protocol for web traffic instead of the encrypted https version that’s standard fare in the world of e-commerce. (It’s required by the PCI Security Standards Council, a body made up of the major credit card companies.) Many people have probably heard the admonition to look for “https” at the beginning of a URL, and a padlock icon signifying encryption near the address bar, before entering credit card info into a web form.

“I think just because of the screen sizes it’s a difficult thing,” says Tuvey. Mobile versions of browsers like Chrome and Safari do show the padlock icon, but it’s only a few pixels across; and both mobile and desktop browsers sometimes hide the gobbledygook of web addresses, like “http://” and even the “www” parts. And mobile apps don’t have a standard way to show if they are using an encrypted connection.

How Dangerous Is Mobile, Really?

So this sounds bad, but how dangerous is it, really, to send sensitive data unencrypted over the Internet? The biggest hazard is often in the immediate physical proximity, through what’s called a man-in-the-middle attack. Someone gets between a computer or cellphone user and their Internet connection, allowing them to comb through all the data that passes to and from the person’s device. This can happen with public Wi-Fi, in which the attacker is logged on to the same network that everyone else is. Or a hacker can create their own network with a mobile hotspot that fits into a backpack. “You can set one up in a coffee shop,” says Tuvey,” call it Free Coffee Wi-Fi, and you’d be amazed how many people just go onto it.”


Companies like Wandera protect users from this danger by encrypting every bit of data that goes between their device and the Internet, regardless of whether it’s Social Security numbers or pictures of cats. If you don’t work for NATO or Bloomberg or some other giant entity that subscribes to such a service, you can do it yourself with encryption services and apps such as Cloak or TunnelBear that range from free for a certain amount of data to about $10 per month.

Why Don’t Companies Respond To Security Risks?

Everyone makes mistakes, but if you were an IT officer alerted to a major security breach, why wouldn’t you respond? Tuvey says that Wandera started notifying the 16 companies on Sunday, once he felt confident that he understood the vulnerability enough to alert them. That gave them just two workdays before Wandera put out its press release on Wednesday, but this seems like the kind of thing that would move to the top of someone’s to-do list.

The answer could be that the right people at some of these companies still don’t even know. “We’ve done our best to call them,” says Tuvey. “But mostly it’s through email and online forms, because that’s all that’s provided.” This isn’t the first time I’ve heard a security company say that it had a hard time getting through to a company with a vulnerability, so I decided to try for myself on Tuesday with a half-dozen companies on Wandera’s list—four in the U.S. and two in Europe. One company’s phone system dropped my calls, and I left messages with three others.


The San Diego Zoo called me back, and the press officer told me that its mobile website doesn’t take ticket orders. When I tried it, however, it featured a “Tickets” icon right on the home page. Clicking through took me from ”” to ”“—which had the exact same design and took down all of my order information, including my credit card specifics.

Tuvey says he sees mixed results with contacting companies about vulnerabilities. Some tech firms such as Apple (which he has contacted in the past) are very responsive, he says, often with at least a dedicated email address for reporting vulnerabilities. But he says that general retailers, such as e-commerce and ticketing sites, are usually not so easy to reach. “I think some of these companies are—how do you put it—careful not to overly publicize their phone numbers,” says Tuvey.

The affected companies, so far, are:


Aer Lingus
Air Canada
American Taxi
Chiltern Railways
CN Tower
Dash Card services/parking
easyJet (recently fixed)
Get Hotwired
KV Cars
Oui Car
San Diego Zoo
Tribeca Med Spa

This story has been updated with new information.



About the author

Sean Captain is a business, technology, and science journalist based in North Carolina. Follow him on Twitter @seancaptain.