Data, the most significant driver of the digital economy, is at risk.

Sensitive data like PII and credit card information has never been more at risk - and security effectiveness is declining. The vast majority of global brands are failing to implement controls to prevent data leakage and theft by preventing client-side attacks:

  • Over 99% of websites are at risk from trusted domains like Google Analytics. These can be leveraged to exfiltrate data. This has significant implications for data privacy, and by extension, GDPR and CCPA.
  • 30% of the websites analyzed had implemented security policies - an encouraging 10% increase over 2019. However...
  • Only 1.1% of websites were found to have effective security in place - an 11% decline from 2019. It indicates that while deployment volume went up, effectiveness declined more steeply.

99% of Top Websites Provide Attackers with Access to Customer Data

Benchmarked against a similar study in 2019 , this year’s report indicates that security effectiveness against JavaScript vulnerabilities is declining, despite high-profile attacks and repeated industry warnings over the past 18 months, including the largest GDPR fine to date.

What's in the report? Key findings include:

COVID-19 has increased reliance on digital experience.

58% of the content that displays on customer browsers is delivered by third-party JavaScript integrations. This website supply chain leverages client-side connections that operate outside the span of effective control in 98% of sampled websites. The client side is a primary attack vector for website attacks today.


Form data is exposed to nearly 10X more domains than intended.

Despite increasing numbers of high-profile breaches, forms, found on 92% of websites expose data to an average of 17 domains. This is PII, credentials, card transactions, and medical records. Tala’s analysis shows that this data is exposed to nearly 10X more domains than intended.


Just 1.1% of websites analyzed have effective security in place.

This is an 11% decline from 2019. While deployment volume went up, effectiveness declined more steeply. Attackers have the upper hand mainly because we are not playing effective defense.


No attack is more widespread than Cross-Site Scripting (XSS).

While other client-side attacks such as Magecart capture most of the headlines, no attack is more widespread than Cross-Site Scripting (XSS) but 97% of websites are using dangerous JavaScript functions that could serve as injection points to initiate a DOM XSS attack.

Data breaches by the numbers

A data breach can wipe as much as 7.2% of a company's share price: up to $32.3M for US companies or around £8.8M for UK-listed companies.
Magecart attacks on online retailers and banks increased by 20% during the pandemic.
Web applications were involved in 43% of breaches in 2019; 37% used or stole credentials.
The average cost of a breach in 2019 was $3M per organization, with lost business accounting for 36% of the cost.

Download the State of the Web 2020 report today to learn how to protect your website, and your customers.