CyCognito has released a special report on the security risks facing ecommerce platforms during the holiday shopping season.

Holiday sales and data leaks

The report highlights the growing threats to customer data as Black Friday and Cyber Monday drive a surge in online activity.

The findings showed that, despite ecommerce sites handling more sensitive data than ever, vulnerabilities continue to persist, especially in web applications and interfaces.

“Risks of the seasonal rush”

Emma Zaballos, Senior Researcher, CyCognito commented: “With the holidays fast approaching, both retailers and shoppers need to be prepared for the risks of the seasonal rush.

“As they race to meet shopping demands, attackers are ready to exploit vulnerabilities in ecommerce assets, potentially stealing personal information or causing major disruptions.

“It’s crucial for retailers to prioritize ongoing security checks, ensuring their websites are prepared well ahead of peak shopping days.

“Otherwise, the consequences could be a far worse gift than any shopper expected,” concluded Zaballos.

Ecommerce web application

For this report, CyCognito‘s research team aggregated and analyzed ecommerce web application assets across its customer base from November 2023 to October 2024.

All findings are anonymized and normalized.

These customers span multiple industry verticals and include a mix of small, medium and large enterprises across the globe, including Fortune 500 companies.

The report’s key findings

Ecommerce sites handling sensitive data at risk:

• Over half (53%) of ecommerce assets collect personally identifiable information (PII), making them prime targets for attackers

• With increasing reliance on ecommerce platforms during peak shopping seasons, PII exposure remains a critical concern

Widespread lack of HTTPS and WAF protections:

• Despite the 30-year anniversary of HTTPS, 3% of ecommerce web apps still lack HTTPS protection, increasing the risk for both customers and retailers

• WAF adoption has also declined with over 40% of ecommerce assets lacking this basic defense against attacks

PII-exposing assets lacking security protections:

• The number of ecommerce assets that collect PII and lack a WAF has risen to 35%, up from 24% last year

• In the UK and Europe, over 40% of such assets remain unprotected, increasing the potential for data breaches and reputation damage

Certificate validity and trust issues:

• While certificate validity has improved, 6% of ecommerce sites still show certificate issues with the UK seeing an increase to 14%

• This raises concerns about customer trust, especially during critical sales periods when users may abandon transactions due to security warnings