CyCognito today released a special report on the security risks facing ecommerce platforms during the holiday shopping season, highlighting the growing threats to customer data as Black Friday and Cyber Monday drive a surge in online activity. The findings showed that, despite e-commerce sites handling more sensitive data than ever, vulnerabilities continue to persist—especially in web applications and interfaces.
"With the holidays fast approaching, both retailers and shoppers need to be prepared for the risks of the seasonal rush. As they race to meet shopping demands, attackers are ready to exploit vulnerabilities in ecommerce assets, potentially stealing personal information or causing major disruptions," said Emma Zaballos, Senior Researcher, CyCognito. "It's crucial for retailers to prioritize ongoing security checks, ensuring their websites are prepared well ahead of peak shopping days. Otherwise, the consequences could be a far worse gift than any shopper expected."
For this report, CyCognito's research team aggregated and analyzed ecommerce web application assets across its customer base from November 2023 to October 2024. All findings are anonymized and normalized. These customers span multiple industry verticals and include a mix of small, medium, and large enterprises across the globe, including Fortune 500 companies.
Key findings:
- Ecommerce Sites Handling Sensitive Data at Risk: Over half (53%) of e-commerce assets collect personally identifiable information (PII), making them prime targets for attackers. With increasing reliance on e-commerce platforms during peak shopping seasons, PII exposure remains a critical concern.
- Widespread Lack of HTTPS and WAF Protections: Despite the 30-year anniversary of HTTPS, 3% of ecommerce web apps still lack HTTPS protection, increasing the risk for both customers and retailers. WAF adoption has also declined, with over 40% of ecommerce assets lacking this basic defense against attacks.
- PII-Exposing Assets Lacking Security Protections: The number of ecommerce assets that collect PII and lack a WAF has risen to 35%, up from 24% last year. In the UK and Europe, over 40% of such assets remain unprotected, increasing the potential for data breaches and reputation damage.
- Certificate Validity and Trust Issues: While certificate validity has improved, 6% of ecommerce sites still show certificate issues, with the UK seeing an increase to 14%. This raises concerns about customer trust, especially during critical sales periods when users may abandon transactions due to security warnings.
To view the full report, please visit this link.
