86% UK’s most-visited websites failing GDPR compliance tests
3 June 2019
As many as 86 percent of the top hundred most-visited websites in the United Kingdom are not compliant with GDPR requirements, be it in terms of offering privacy policies or secure usage of cookies handling potentially sensitive data, tests carried out by ImmuniWeb have revealed.
In 2017, GCHQ’s National Cyber Security Centre launched a comprehensive Web Check service to scan websites owned by UK public sector organisations for existing and emerging vulnerabilities and to help such organisations fix such flaws before they could be exploited.
In less than a year after Web Check was introduced, NCSC succeeded in performing 1,033,250 individual scans running 7,181,464 individual tests, scanned 7,791 unique URLs across 6,910 unique domains and produced 4,108 advisories for customers.
These advisories included 2,178 issues relating to certiﬁcate management, 1 relating to HTTP implementation, 184 relating to out of date content management systems, 1,629 relating to TLS implementation, 76 relating to out of date server software and, 40 relating to other issues.
Even though the government introduced GDPR in May last year in the form of a new Data Protection Act, GDPR compliance remains an issue with a large number of small, medium and large organisations struggling to curate their data protection policies to seamlessly comply with the new regulation. The situation seems to be much worse when it comes to website security, especially for sites that are visited by hundreds of thousands, perhaps millions of Internet users every day.
A series of non-intrusive checks carried out by ImmuniWeb of the top hundred most-visited websites in the UK has revealed that as many as 86 percent of such websites are not completely GDPR compliant with a large number of those failing to comply in terms of offering easily-accessible privacy policies.
Checks carried out by ImmuniWeb revealed that while 17 percent of the hundred most-visited websites in the UK did not have privacy policies or had policies that were hard to access, every single one of them failed when it came to secure usage of cookies handling potentially sensitive data.
UK’s most-visited websites are HTTPS encrypted & have updated CMS components
However, UK websites performed remarkably well with all of them scoring 100% in terms of shunning the use of outdated and vulnerable CMS or CMS components and implementing HTTPS encryption to prevent data leakage.
In comparison, the top hundred most-visited websites in each of the 28 European member states had a failure rate of 51.50% in terms of offering privacy policies, 78.25% failure rate in terms of secure usage of cookies handling potentially sensitive data, 6.75% failure rate in terms of shunning the use of outdated and vulnerable CMS or CMS components, and 5.96% failure in terms of implementing HTTPS encryption to prevent data leakage.
In fact, in EU member states such as Croatia, Czechia, Ireland, Malta, and Slovakia, the failure rate of the top hundred most-visited websites in each of these states was a hundred percent, with none of them being 100% GDPR compliant, the most concerning issue being secure handling of cookies.
On the other hand, the top hundred most-visited sites in Germany and Italy had an overall GDPR compliance rate of 50%, followed by those in Austria (33%), Spain (25%), Greece (19%), Poland (18%), and Belgium, Bulgaria, Cyprus, and France (17% each). Websites in the UK lagged behind with an overall GDPR compliance rate of 14 percent.
“We can see laudable efforts aimed to improve web application security and adhere to GDPR requirements amid European companies. However, there is a long road before the majority of organisations start valuing actual security above paper-based compliance thereby providing users with the privacy and security they truly deserve,” said Ilia Kolochenko, CEO and Founder of ImmuniWeb.
ImmuniWeb is now offering a new free test where organisations can measure the security credentials of their websites and external web applications vis-a-vis relevant GDPR and PCI DSS requirements. Using the service, organisations can verify PCI DSS requirements 6.2, 6.5 and 6.6, GDPR requirements applicable to websites and web applications, scan for all known vulnerabilities in the fingerprinted software, and check over 20 HTTP headers related to security, encryption or privacy for strong configurations in line with industry best practices.