Get the latest live chat benchmark data broken down by team size & industry

Read more

Live Chat Security: Everything You Need to Know for Secure Live Chat

Live chat connects website visitors to agents in real-time so customers can receive fast and efficient support. But while its popularity and effectiveness have soared in recent years, some worry about the security of live chat. This is understandable. After all, customers often share personal and sensitive information with agents, and it’s critical that none of it falls into the wrong hands. On top of this, some industries require compliance with specific security measures to protect their customers’ data.

Over the years, SaaS developers have worked with businesses to increase the efficacy and security of this vital customer service channel: most of today’s live chat providers offer some level of password protection and data encryption to help companies manage sensitive data. 

However, the level of security offered by different vendors does vary widely. This makes it all the more important to know how your live chat provider is managing your and your customers’ data, and what measures it has in place to detect and neutralize security breaches. 

This blog post breaks down the basics of live chat security and potential threats to help you find the most secure live chat platform for your company. 

How can a cyber-attack affect my company? 

If your website experiences a successful cyber-attack, there are several ways it can damage your business. Ransomware attacks are the most common. 

 These work by stealing a company’s sensitive data and then demanding a ransom fee to have them returned . Attackers may also extort organizations that handle sensitive data such as law firms, governmental organizations, and healthcare institutions, by threatening to make customer data public if no ransom payment is made. A data breach of this scale can severely impact a company of any size by damaging the company’s image, hurting business-customer relations, and potentially leading to lost sales. 

But companies don’t only have to worry about payouts to cyber attackers in the event of a data breach. They also have to worry about hefty fines and penalties issued by supervisory entities and government agencies that enforce responsible management of customer data. Businesses that experience a breach involving live chat data of European citizens, for example, will have to pay a fine to the EU for failing to comply with GDPR regulations and standards.  

A new report by IBM compiles the indirect and direct losses due to data breaches, pinpointing the average cost of a data breach in 2020 at $3.86 million. The same report shows that US organizations face the highest costs with an average of $8.19 million lost per breach – 5.3% more than 2019. 

How can my live chat software be breached – and what can be done to prevent it?

Live chat data can be breached several ways: some of them are unique to this platform while others may be threatening to other channels as well. We’ve compiled a list of threats to live chat security, complete with real-life examples and actionable tips to help protect your company from breaches.

1. Software updates 

Improperly coded or tested software updates by SaaS providers can leave customer data vulnerable. The most recent example of this comes from SolarWinds, a networking and security software that is used by more than 300,000 customers worldwide, including Fortune 500 companies, government agencies, and education institutions.

In this case, 18,000 customers downloaded a corrupt software update that had been compromised and altered by hackers to gain a backdoor into the system. While this attack was highly sophisticated, it points to a need that companies have when assessing software vendors: be aware of what security measures software vendors are implementing when it comes to installing security patches and updates.   

Staying secure: To avoid compromising updates, your live chat provider should install security patches and perform updates only after rigorous testing. Internal audits should be conducted frequently to assess security standards, and developers should be rigorously trained on coding standards and web security to ensure total live chat security.  

2. Flawed chat window code 

Sometimes it isn’t a security update that is flawed — it’s the live chat code itself. Live chat providers with inadequately secure chat windows and/or poor data handling practices pose enormous threats to customer privacy by leaving customer information and transcripts vulnerable to misuse by cyber attackers. 

US telecommunications giant Verizon experienced exactly this type of breach in December 2020. Ars Technica reported that Verizon had been leaking addresses, phone numbers, account numbers, and other personal information through a chat window on its website.  

Verizon recently acknowledged this glitch with a statement, telling users: “We’re looking into an issue involving our online chat system that assists individuals who are checking on the availability of Fios services. We believe a small number of users may have seen a name, phone number, and/or a home or building address from an unrelated individual who had previously used this chat system to enter that information. Since the issue was brought to our attention, we’ve identified and isolated the problem and are working to have it resolved as quickly as possible.”  

Unfortunately for Verizon, it wasn’t just the public live transcript leaks that were damaging: reports show that this problem was happening as far back as June 2020, meaning that this leak was going on for months before it was addressed. 

Staying secure: For secure live chat, make sure that your provider uses a PCI DSS compliant Secure Form like Comm100 to request sensitive data through the chat window. Data should be TLS encrypted to ensure account privacy and data integrity, and should not be accessible after the session has ended. Your live chat provider should also have alarm tools to notify the security team immediately of any security incidents so that potentially damaging security breaches never fly under the radar. 

3. Vulnerable chatbots 

Chatbots have become a natural extension of live chat by helping businesses offer 24/7 customer assistance. Despite their usefulness, chatbots can also be vulnerable to attack by hackers who are trying to gain entryway into the system. 

In November 2020, Ticketmaster UK was fined £1.25m for failing to keep its customers’ personal data secure in a chatbot data breach that took place in 2018. According to the BBC, “An investigation found a vulnerability in a third-party chatbot that Ticketmaster had installed on its online payments page. A cyber-attacker was able to use the chatbot to access customer payment details. Following the breach, 60,000 Barclays bank customers were victims of fraud. Online bank Monzo had to replace 6,000 payment cards due to fraud.” 

Ticketmaster UK isn’t the only company to fall victim to a chatbot breach. In 2019, Delta Airlines sued their chatbot provider over a data breach that occurred in 2017. The Wall Street Journal reports: “The airline accuses the vendor of failing to implement basic security controls such as requiring multifactor authentication for employees accessing source code and forbidding staff members from using the same login credentials, according to the complaint. Hackers modified the chatbot’s source code using compromised credentials, then monitored activity on Delta’s website and captured data that visitors entered there.” Delta’s lawsuit adds that the breach wouldn’t have happened if the vendor had implemented “even basic access restrictions,” which were unfortunately an afterthought for the chatbot provider. 

Staying secure: Your live chat provider should combine classic protections with the latest in security technology. All incoming chat requests should be validated through a third-party firewall, to help ensure that only legitimate requests will be answered by your chatbot or live agent. This prevents the security of the host website, and the chatbot, from being compromised, and blocks foreign or unknown entities from getting a hold of secure information.

Additionally, any credit card information accepted over live chat or via a chatbot should be concealed and encrypted so that it cannot be improperly used by hackers. If your chatbot is available on multiple platforms, it is imperative that this be the standard there too: Comm100’s Credit Card Masking feature automatically hides credit card numbers that are sent by visitors via live chat and other integrated channels including Facebook, Twitter, Email, SMS, WhatsApp for Business, WeChat, SMS, and more. 

4. Mobile phishing attacks 

With live chat, you can support your customers from literally anywhere: in the office, at home on your laptop, or even via mobile app. With this convenience comes the need to use live chat software that can mitigate the risks of malware attacks targeting a range of devices. 

Mobile phishing attacks have been on the rise since the beginning of the COVID-19 pandemic.  This spike has been particularly evident in the pharmaceutical industry, where phishing attacks more than doubled from 7.06% in Q4 2019 to 15.26% in Q1 2020. This trend is in part due to the fact that well-crafted attacks are harder to spot on mobile devices. It also coincides with the targeting of employees who are working from home, where people may exercise less caution. 

Staying secure: To mitigate these and other mobile cyber-attacks, experts suggest having an up-to-date operating system, reliable anti-malware, and providing training to employees working from home to identify phishing attacks. 

Additionally, for secure live chat, your provider should have sign-on and authentication features designed to make it easier to assist customers between devices and locations. For example, Comm100’s Lightweight Directory Access Protocol (LDAP) and other single sign-on protocols allow your agents to access Comm100 via centralized authentication. This provides better security by helping agents move between applications without having to re-enter usernames and passwords, which could make them vulnerable to attacks. Agent passwords are protected by authenticating them via HTTPS and by storing them in company databases that are kept private through irreversible encryption. Password complexity standards, account lock-outs, and CAPTCHA protections are also in place to prevent malicious attacks no matter where your agents sign on from. 

5. Internal breaches 

External breaches aren’t the only way that your security can be compromised. Reliable live chat providers must protect against internal breaches as well. 

Internal breaches aren’t always intentional–some blur with external breaches, such as if an employee’s information has been compromised by cyber attackers and their login is being used to commit systemic harm. Other times, a disgruntled employee might act on their own volition to steal or leak customer or company information. Take for example, an ex-employee of SunTrust bank who attempted to download information on 1.5 million clients to share with a criminal third-party. Or, the Tesla insider who made “extensive and damaging” code changes to the Tesla Manufacturing Operating System before exporting large amounts of sensitive information to an unknown organization. 

Staying secure: Internal breaches can happen at any point in the customer service or operational experience of a company. Your omnichannel live chat vendor should give you ample auditing, permissions, and data processing tools to ensure that your customer data is kept safe and sound. And, they should be responsible for extensive internal audits to ensure that the credibility of their live chat is never undermined or compromised. 

Comm100’s PCI DSS compliant system lets you strictly designate who is allowed access to sensitive data. Customer payment information is encrypted and kept stored in secure servers, where it cannot be re-accessed. All agent activity as well as all changes made to your system can be tracked via audit logs, providing accountability and protection across the board. Formal risk assessment is conducted via intensive internal audits, and any changes at the foundational level are heavily managed and regulated.  

Live chat security compliance: What to look for

It’s safe to say that the more security regulations your live chat provider complies with, the better. Security regulations are designed to keep businesses and their customers safe from data breaches. However, which specific security features are on your radar may depend on other factors, such as your industry and business location. Here are some security standards that you should ensure that your live chat provider complies with: 

  1. SOC 2 Type II — SOC stands for “system and organization controls,” and includes a series of standards designed to help measure how well a given service organization conducts and regulates its information. SOC 2 Type II compliance is based on five key trust principals, and denotes the highest degree of excellence in security, availability, processing integrity, confidentiality, and privacy of customer data. 
  2. ISO 27001 — ISO 27001 certification denotes live chat providers who have implemented an ISMS (Information Security Management System) which complies with an internationally recognized set of policies, controls and practices for systematically managing information. 
  3. PCI DSS PCI DSS compliance denotes the highest standard of security for companies who handle credit card data. PCI DSS live chat providers mask credit cards, secure forms, and use irreversible encryption to keep passwords and other sensitive information as safe as possible. 
  4. HIPAA (Health Insurance Portability and Accountability Act) — A United States federal statute, HIPAA was enacted to help keep patient information safe and confidential. A HIPAA-compliant live chat solution is absolutely necessary for healthcare providers who engage digitally via secure chat with their clients. 
  5. GDPR — The GDPR (The General Data Protection Regulation) was introduced in 2018 and gives European citizens the right to request, access, and delete data stored by companies. Companies based in the EU or handling the data of EU citizens must use GDPR-compliant live chat, or risk steep penalties. 


Between COVID-19, Facebook, the US elections, and  GDPR, the way that we relate to, talk about, and interact with data is always changing. Customer frustration and fatigue with data breaches is growing, and the fees and ransoms being imposed upon companies who fail to protect their data are climbing higher with them. 

As data collection and customer service platforms become more centralized, the need to get serious about digital security is clear. Customer service employees everywhere must be taught secure protocol for handling customer information. IT professionals must be aware of what to look for in a data breach, and everyone from CEOs to marketing professionals must recognize the signs of a malware attack.  
Cautionary exercises are a start. What’s really necessary to help keep your company safe is that your software platforms actively exercise risk mitigation protocols. Only you know what security standards are good enough for your business. The right live chat provider should have industry-leading compliances and security features that will keep you and your customers safe not just on live chat, but across customer service channels.  
At Comm100, we take security seriously. Our platform is an enterprise-grade live chat application, with security features that perform at the top of the industry. As a SaaS and customer-driven company, we know the true challenges of providing quality and secure live chat services, inside and out. We have policies and practices that address a whole range of security concerns for all industries to help our clients exceed their customers’ expectations. 

To learn more about Comm100’s comprehensive security features and certifications, take a look here.

Isabella Steele

About Isabella Steele

Isabella is a freelance editor, writer, and blogger with Comm100. She is passionate about helping people, teams, and organizations grow into their full potential, and excel in their service. In her spare time, you can find her traveling, painting, or drinking copious amounts of coconut water. Connect with Isabella on LinkedIn.