The companies putting your cyber security at risk

Big energy firms, banks and supermarkets make billions from us, yet some fall short when it comes to online security, potentially giving opportunities to cybercriminals
Andrew LaughlinPrincipal researcher & writer

We're becoming used to the need for vigilance when it comes to online scams, but a new Which? investigation suggests major companies and household names could also do more to safeguard you online. 

Big brands that we interact with every day too often prove below par when it comes to security - and that’s putting you at risk from scams, cybercrime and other malicious activity.

With computer misuse now one of most common crimes in the UK, leading to millions of pounds of losses, why are companies putting your security at risk?

Tech tips you can trust – get our free Tech newsletter for advice, news, deals and stuff the manuals don’t tell you

Banks, airlines and energy firms all have issues

We worked with security experts Red Maple Technologies to assess 25 of the biggest companies across five consumer industries: airlines, supermarkets, banks, energy and water. 

These firms have a combined revenue of more than £568bn and an annual profit of just shy of £50bn. However, Red Maple’s FractalScan Surface passive scanning tool found 317 potential security issues with their online presences, including 308 rated as 'high' and nine as 'critical', the highest level of severity. 

Surprisingly, banks had the most issues, at 116. Airlines came next at 66, followed by supermarkets (56), energy firms (53) and water providers (26). 

Each issue doesn’t mean that the company has been hacked, or that your data is at risk. However, they all represent a possible opportunity for a cybercriminal. 

And while we operate within the law in our testing, malicious hackers have no such restrictions. They can, and do, go much further.

How to spot a fake, fraudulent or scam website

Security issues found and fixed

There was only one instance where we found an issue with a company’s main website – that’s the one you most commonly visit. Most pertained to less-used and nearly hidden sites (known as subdomains) run by the company. 

Many issues we found related to weak encryption – for example, websites running HTTP instead of the more secure HTTPS, including - ironically - one company’s privacy statement.

We found an internal dashboard hosted by a water company that gave details of the company’s internal infrastructure – useful information for a criminal. One of Tesco’s subdomains had even been hijacked by a hacker. 

Too many companies were running out-of-date software online. Some software had known vulnerabilities that could be exploited by hackers. 

Not all companies reported back fully to us what they did in response to our research. But based on just five companies who did report back, our disclosures brought about 20 sites being taken down and 13 vulnerabilities being updated/resolved. 

A full breakdown of the findings is below– but we can’t offer too much detail on any still unresolved problems so as not to give the hackers a head start.

Banks: out of date security

You might be surprised to see HSBC, Lloyds, NatWest, Santander and Barclays had collectively the most potential issues. 

Banking security is generally good, and you shouldn’t worry about using your online banking account. 

The issues we found were generally with the thousands of websites and subdomains operated by the banks – the most of all the sectors assessed. 

HSBC and NatWest had the most issues, but the majority of vulnerabilities were due to out-of-date certificates (which can weaken security) on old, seemingly unused subdomains. 

None of our findings indicated that customer data was at risk or any critical systems. Look out for our separate full investigation into banking security in early 2023.

HSBC UK said that protecting customers and their data is of 'paramount importance to us', and noted that its cyber security was 'aligned to the industry best practices'. The bank said that it appreciated our research, but did not agree with our assessment of risk, claiming the pages we reported were known to them and are either 'not live pages, do not hold or require sensitive data, or have robust measures in place to mitigate any risk'.  

Barclays said that it does not agree with our assessment of risk and that our findings related to "legacy URLs that will either re-direct to secure URLs or are no longer active and pose no security risk". However, it has addressed the issues we raised and removed certain records in order to "avoid confusion". 

"Barclays maintains the highest standards of protection and security with no priority coming higher," the bank added.  

"The security protection and risk assessment is taken extremely seriously, using multiple strategies and capabilities, that will include continuous scanning of our internal estate, perimeter and suppliers’ services to maintain the highest standards of service.”

Lloyds said that it 'places paramount importance on the security of our customers and is continually investing in our technology to mitigate constantly evolving cyber threats', and that it continues to to test its services and systems to ensure they remain secure.

Santander said that it also takes cyber security extremely seriously and regularly monitors and tests all of its systems for security. It is reviewing the vulnerabilities we identified, none of which it says are retail customer applications.

A NatWest spokesperson said: “NatWest Group remains committed to keeping its customers, data, and systems safe and secure. We have a multi-layered approach to domain security and security testing which comprises of vulnerability scanning, policy-led penetration testing, and advanced security testing.”

Supermarket garden furniture

Supermarkets: a subdomain hijacked by a hacker

Aldi, Asda, Morrisons, Sainsbury’s and Tesco had the second-most subdomains between them, after the banks. However, we only found 56 issues - the lowest rate per domain across all sectors tested.

One of Tesco’s subdomains had been hijacked by a hacker. It wasn’t being used for anything malicious, but could be a valuable tool for phishing attacks. It has now been taken down. 

We exposed a website hosting a Morrisons statement on email privacy that didn’t have effective encryption. Among Aldi’s high-impact issues was a ‘January Amazing’ site that was empty and had no encryption. This has also since been taken down. 

Aldi said: 'We take cyber security extremely seriously and we have stringent measures in place to protect our sites from security breaches of any kind'. It also said our tests did not implicate its customers’ data in any way and it has engaged with us to learn more about our findings. 

Tesco said that it takes cybersecurity 'extremely seriously', and assured customers that it has 'robust security measures in place and that their data is well protected'. 'The examples outlined by Which? relate to subdomains of our websites which don’t contain any customer information nor personal data, were never at risk of being compromised, and pose no risk to our wider cybersecurity. Nevertheless, our team investigated and have resolved all of the examples raised,' Tesco added.  

Morrisons said that it uses alternative tools to conduct regular vulnerability assessments of its websites and those run by associated third parties. 

'The frequency of these assessments depends on the purpose of the site with those containing sensitive information, such as payment processes, being assessed far more frequently than those that are purely informative,' the supermarket said. 

Asda and Sainsbury's did not respond with a statement by our deadline.

Using headphones on an airplane

Airlines: a range of vulnerabilities

Two years ago, we reported on cybersecurity issues in the travel industry, so it’s disappointing to see that the industry still has problems. 

We found 66 vulnerabilities across the websites of five major airlines, and that includes British Airways and easyJet which did badly in our last report. Both companies have had notable data breaches, and BA had a fine levied by the ICO. 

Among the 'high' and 'critical' issues found with easyJet’s 1,103 subdomains were several easyJet domains over HTTP, including a privacy-focused site. We also found 'high' impact issues with websites run by British Airways, Jet2, Tui and Virgin Atlantic.

BA insisted that its cybersecurity measures align with industry and international standards and it has ‘multiple layers of protection in place to manage and mitigate any risk’.

EasyJet claimed that there were ‘false positives’ in our findings and that the ‘small number’ of remaining issues had been resolved. The no-frills carrier added that it continues to be ‘vigilant’ and ‘further strengthen and invest heavily’ in cyber defences.

Virgin told us that, while it welcomed the impartial research, our scoring metrics didn’t capture the wide range of measures employed ‘to uphold the integrity of our website and subdomains’.

We remain in talks with Jet2at the time of going to press. Tui didn’t provide a response to our enquiries.

Energy companies: the highest number of critical issues

Energy firms are now regularly in the news for spiralling gas and electricity prices. However, despite British Gas, Eon, EDF Energy, Ovo Energy and Scottish Power earning annual profits of £7.75bn, not enough seems to be directed into cybersecurity. 

We found 53 issues with the companies' websites, including the highest number of 'critical' issues per sector (two with Ovo Energy and one with Scottish Power). 

Like all companies in our research, we’ve contacted the firms about what we’ve found. None of our reported issues have a known risk to customer data (as is the case with all sectors) or the provision of critical power services to UK homes.

EDF said that the company has its systems 'regularly tested by accredited independent organisations', and that 'none of the issues identified by Which? related to the security of customer information and at no time has customer data been compromised'. It added that several of the issues we raised were fixed prior to Which? contacting EDF, as part of routine security maintenance, and that the remaining issues would have been identified in future maintenance. It thanked Which? for bringing them to its attention early and confirmed they will be resolved.

Scottish Power said that digital channels are 'vital tools' for its business and so it has 'robust controls and measures in place to protect our systems and information'. It said it also works with relevant authorities and industry bodies to ensure it responds to cyber risks, while maintaining the resilience of its platform and maximising availability, security and functionality for customers.

British Gas and Ovo declined to give a statement for publication. Eon didn't respond by our deadline. 

Water companies: lack of encryption

Water firms had the fewest number of issues (26), but also the five on test – Anglian Water, Scottish Water, Severn Trent Water, Thames Water and United Utilities – had the fewest number of domains (1,592). 

Among the 26 issues found, a website for United Utilities’ 2014 annual financial report and the Thames Water careers website both had no encryption. 

We also found a dashboard of internal IP addresses and hostnames for one water company available on the internet. Hackers could use this to figure out a company’s internal infrastructure for attacks. 

These vulnerabilities won't impact water quality or service, as this critical infrastructure isn't connected to the systems we analysed.  

Anglian Water said that its own assurance services had 'already identified around 80% of the "high" rated vulnerabilities', and that it was working to 'mitigate the identified risks'. It said it's grateful to Which? for bringing the other issues to its attention, and that any service handling sensitive data, such as payment information, was 'protected by cyber security controls and subject to regular review'. 'Crucially, our operational systems looking after the treatment and supply of water are in no way connected to any of the systems analysed by this investigation,' Anglian Water added.

United Utilities said that it was 'already aware of the non-critical vulnerabilities identified and are addressing them'.  It added that none of the issues represent a risk to the company or its customers, and that it has wide-ranging programme of cyber security management in place.  

Thames Water said that, as a provider of critical national infrastructure, it takes the security of its networks and systems 'very seriously'.  It also noted that it deploys 'a defence in depth strategy utilising a variety of technical mechanisms that, naturally, are not visible to external scanning', such as that used in our investigation.  

Severn Trent said that it operates 'a robust approach to cybersecurity', including a dedicated security operations centre monitoring for incidents across its network. 

Data Protection Act 2018 (GDPR)

Are companies legally required to make websites secure? 

Under the General Data Protection Regulations (GDPR), companies are required to take ‘appropriate technical and organisational measures’ to ensure that personal data is processed securely. However, GDPR doesn't mandate requirements for cybersecurity. 

There are some widely adopted security requirements, such as PCI DSS for card transaction security, while global businesses face a tangle of international requirements to navigate. 

In the UK, though, there is no defined baseline standard for cybersecurity for businesses to adhere to, such as Cyber Essentials+ which applies to anyone working in or with government.

This would be fine if we could trust companies with our data. However, our investigations – plus, a slew of data breaches, ransomware and other cyber incidents – tell a very different story. 

We’re all doing much more online and that trend will only accelerate. Without trust in the companies we deal with, the UK is far away from being the ‘safest place in the world to be online’, as the government has pledged. 

How to stay safe while online

Before you delete your online accounts – don’t panic. The tips below will help you increase your security while online.

  • Passwords Far too many companies let you set weak, easily guessable passwords for accounts, making life easy for scammers. Even if you can, don’t do this. Set strong passwords and use a password manager.
  • Updates Updates provide the latest security protections. Always ensure you keep all your devices, browsers and software updated. If your smartphone or other device is no longer supported with updates, it’s time to upgrade to always stay secure (see which.co.uk/updates). 
  • 2FA Two-factor authentication (2FA) means adding another factor to log in to your account, such as a phone number or email address. It makes it harder for someone to hack them. Use 2FA if it's available, especially for sensitive accounts such as banking.
  • Data sharing If you’re shopping, booking or browsing and are asked to set up an account, consider whether you really need one. Can you complete the transaction as a guest? Only set up accounts for services you’re going to use regularly, to speed up the checkout process. 
  • Phishing Too many firms make it easy for hackers to impersonate them in phishing attacks. Always be vigilant when receiving messages or browsing websites. It might be that what you’re viewing isn’t what it appears to be. 

More on this

Related articles