Sensitive Data Exposure in Local Storage in Plaintext

Issue

Sensitive data exposure in local storage in plaintext

Impacted Frameworks and Reasons

GDPR (Articles 5 and 28)

  • Article 5 requires data minimization, purpose limitation, and integrity. Storing personal data in local storage in plaintext increases the risk of unauthorized access and violates these principles.
  • Article 28 requires that processors apply appropriate security measures. Local storage provides limited control and increases exposure risk.

CCPA and CPRA

  • Requires transparency and protection of personal data.
  • If personal data is stored in local storage, it can be accessed by browser extensions, scripts, or third party libraries, resulting in undisclosed sharing or unauthorized access.

HIPAA

  • PHI must be protected with adequate safeguards.
  • Storing PHI in local storage exposes it to any script running in the browser environment, which is considered insufficient protection and may be treated as an unauthorized disclosure.

PCI

  • Cardholder data must never be stored unencrypted or outside a controlled environment.
  • Local storage is not a secure environment and plaintext storage of cardholder data violates PCI protection and encryption requirements.

GLBA

  • Financial institutions must safeguard customer financial information.
  • Storage in local storage demonstrates insufficient technical controls.

PIPEDA

  • Requires secure handling and informed consent for personal data.
  • Storing sensitive data in local storage prevents demonstrating strong protection and increases the likelihood of unauthorized access.

APPI

  • Requires purpose limitation and confidentiality of personal data.
  • Local storage increases exposure risk and reduces confidentiality protections.

NIST 800 53

  • Emphasizes controlled access, encryption at rest, and protection of sensitive information.
  • Local storage does not provide strong access controls and makes data easily accessible to scripts or malicious actors.

ISO IEC 29100

  • Requires accountability, transparency, and suitable safeguards.
  • Storing sensitive data in local storage provides insufficient protection and weakens assurance.

KSA PDPL

  • Requires lawful processing and safeguards to prevent unauthorized disclosure.
  • Local storage increases the likelihood of unintentional disclosure.

UAE PDPL

  • Processing must remain protected and aligned with the stated purpose.
  • Plaintext in local storage creates misalignment between required protection and actual handling.

Qatar PDPPL

  • Requires strong safeguards to prevent unauthorized access.
  • Local storage provides limited control and increases exposure risk.

Avoid storing sensitive data in local storage. Audit and refactor frontend code to remove unnecessary handling of sensitive data in browser accessible storage.

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Sensitive Data Exposure in Third Party or AI Integrations (beyond DPA)

© 2025 HoundDog.ai, Inc. All rights reserved.

On This Page
Sensitive Data Exposure in Local Storage in PlaintextIssueImpacted Frameworks and ReasonsGDPR (Articles 5 and 28)CCPA and CPRAHIPAAPCIGLBAPIPEDAAPPINIST 800 53ISO IEC 29100KSA PDPLUAE PDPLQatar PDPPLRecommended Remediation