How do the top 100 UK ecommerce sites deal with personal data?

Dashlane assessed the password security procedures on the Top 100 e-commerce sites by examining 26 different password security criteria and awarding/docking points depending upon whether sites follow good security practice or encourage risks. Each criteria is given a +/- point value enabling each website to achieve total score between 100 and -100.

As online retail sales exceeded expectations in December with the IMRG Capgemini e-Retail Sales Index recording 18% year-on-year growth, consumers are increasingly sharing their personal data, including payment information, with a growing number of e-retailers. Dashlane analyzed the UK’s top 100 e-retailers’ data protection policies and discovered multiple areas of serious concern related to protection of consumers’ data.

• 63% of top 100 UK e-commerce sites didn’t implement an explicit policy (all criteria rated with a “-” or 0; see methodology) to protect personal data of their customers.
• Only 37% deliberately strengthened their processes to reduce risks of data theft or fraudulent usage of personal data and deployed corresponding processes rated with a “+” according to our methodology.

Additional key findings from the study include:

• 66% still accept notoriously weak passwords such as “123456” or “password”, putting users in danger as these are often the first passwords hackers use when trying to breach accounts.
• 66% make no attempt to block entry after 10 incorrect password entries (including Amazon UK, Next, Tesco and New Look). This simple policy prevents hackers from using malicious software that can run thousands of passwords during log-ins to breach accounts.
• 60% do not provide any advice on how to create a strong password during signup, and only 14% display a password meter to help their users gauge the strength of their chosen password.
• 25%, including The Body Shop, Clarks and Superdrug, send passwords in plain text via email letting any hacker that has access to your email account sign in to your other accounts.

Teletext Holidays, Urban Outfitters and Holland & Barrett received the three lowest scores. Virgin Altantic, Ocado were also among the lowest ranked sites as they all received scores of -35 or below.

Apple is the best e-commerce site in terms of data protection, followed by Travelodge UK, which suffered from a data breach in 2011. The rest of the highest ranked sites are biggest brick and mortar retailers and hotel chains who turned out to develop their business on the web, without impairing security for their customers.

Overall the study found that the bigger the organization, the safer the website was in terms of data protection, according to the strong correlation of rank and revenues.

However, there are a couple of counter examples showing that this is not always the case as Sainsbury, Virgin Atlantic and The Bodyshop.

These findings are troubling, particularly when examined in the context of numerous recent online security issues at major retailers. They suggest that some of the top e-commerce sites in the UK fail to implement basic password policies that could adequately protect their users’ personal data.

Users at risk

The danger with a weak password policy is that it leaves users’ personal data vulnerable. The weaker the password, the easier it is for hackers to break into an account. Therefore, sites with lenient password policies are leaving their users exposed to greater risk.

The majority of sites accept ten of the most commonly used passwords such as “123456”, “111111” and even the word “password”. Dashlane also discovered that 69% do not require a mix of letters and numbers, and 79% accept passwords with 6 characters or less.

In addition to permitting weak passwords, a number of e-commerce sites do not lock users’ accounts after repeated failed access attempts. Numerous sites, including Amazon and New Look, allow uninterrupted normal login attempts even after 10 incorrect password entries. One of the easiest methods hackers use to break into an account is the automated entry of commonly used passwords. Restricting account access after multiple incorrect entries is a simple way to curb this tactic.

When the two issues above are combined, it becomes easy for hackers to access many accounts because they can repeatedly try the most commonly used passwords without being blocked.

Also among the more dangerous practices is the sending of passwords in plain text via email. Thankfully this practice was not prevalent, but the study found that several sites, including The Body Shop, Clarks and Superdrug, still email users’ passwords in plain text.