Outdated web forms are fueling breaches, highlighting urgent security and compliance risks for organizations.
Key Takeaways:
A new survey reveals a hidden security crisis brewing inside legacy web forms, with nearly nine in ten organizations reporting form-related breaches in recent years. As businesses struggle with rising compliance demands and sophisticated cyberattacks, the findings highlight an urgent need to modernize data collection practices before vulnerabilities get out of control.
The 2025 Data Security and Compliance Risk: Data Forms Survey was conducted by Kiteworks and included 324 professionals specializing in cybersecurity, risk management, IT, and compliance. These participants represented organizations across multiple industries, including government, financial services, healthcare, and technology.
Legacy web forms are risky because they were designed for convenience, not security. They lack modern protections like encryption and real-time threat detection, which makes them easy targets for attacks such as SQL injection and cross-site scripting. Legacy web forms often handle sensitive data, and these weaknesses create serious compliance and privacy risks.
According to Kiteworks, 88% of organizations experienced at least one web form related security incident in the past two years, and 44% reported confirmed data breaches through form submissions. This is despite 64% rating their security maturity as advanced or leading.
Common web form threats include bot attacks, SQL injection, cross-site scripting, session hijacking, and man-in-the-middle attacks, which exploit weaknesses in legacy forms to steal or manipulate sensitive data. These risks are especially concerning because 85% of organizations prioritize data sovereignty, which is a critical requirement in regulated sectors like government, finance, and healthcare.
This report also highlighted that there is a significant detection-response gap in web form security. 82% of organizations have real-time threat detection, but only 48% use automated response, which creates delays that attackers can exploit. Moreover, mobile form submissions make up a large portion of traffic (21–60%), but mobile-specific security measures often lag behind desktop protections.
First, organizations should replace legacy web forms with modern, secure alternatives that include end-to-end encryption, real-time threat detection, and automated response capabilities. Legacy forms were not designed for security, and upgrading them is important to prevent attacks like SQL injection, cross-site scripting, and bot exploitation. Secure forms should also support compliance with regulations such as GDPR, HIPAA, and PCI DSS to ensure sensitive data is protected throughout its lifecycle.
Additionally, this report emphasizes prioritizing data sovereignty and mobile security. Organizations need to implement mobile-specific protections that match or exceed desktop security standards. Moreover, they should maintain control over where data is stored and processed for regulated industries like healthcare, finance, and government. Organizations can also significantly reduce risk and protect sensitive information by treating web forms as critical infrastructure and investing in advanced security measures.