It’s e-commerce 101: A company has to encrypt your credit card data when you buy something online. Yet security company Wandera just found at least 16 companies, with a combined 500,000 daily users, who are not always encrypting data—specifically not on their mobile websites and, in some cases, their apps. Offenders range from giants like airlines EasyJet and Aer Lingus to the San Diego Zoo and the TriBeCa Med Spa in Manhattan. Data sent “in the clear” include credit card numbers, birth dates, and passport numbers. The kicker: Wandera has had a difficult time getting in touch with several of these companies to warn them ahead of announcing the vulnerabilities today.

Several companies involved, including Aer Lingus, CN Tower and easyJet, dispute Wandera’s findings. Wandera claims that easyJEt has since fixed the problem; and Fast Company is awaiting Wandera’s response to all the companies’ claims.

“We were very surprised when we found [the vulnerability] in the first place,” says Wandera CEO and cofounder Eldar Tuvey. ” His two-and-a-half year old company provides mobile security services for very large clients including Bloomberg, Office Depot, and NATO by channeling all Internet data through Wandera’s servers. Artificial intelligence algorithms analyze the data for patterns that indicate a cyber attack or employees going to NSFW destinations, like porn or gambling sites. Faulty website encryption wasn’t even on the company’s radar, he says, but it showed up in their analysis. “We had been looking for man-in-the-middle attacks or jailbroken phones…password leaks or username leaks,” says Tuvey. “We didn’t think we would find any credit card data.”

Tuvey suspects that the problem may go well beyond the 16 companies they have found so far (listed at the end of this article). With a few hundred clients, he estimates that Wandera sees only about 2% of the world’s mobile traffic. “If in our data that we do see we found this much, I’m assuming that in all the other data that we don’t see there’s just as many if not more,” says Tuvey.

Amazon (above) uses HTTPS encryption. The San Diego Zoo (below) does not.

The rookie mistake is that these companies are using the regular http protocol for web traffic instead of the encrypted https version that’s standard fare in the world of e-commerce. (It’s required by the PCI Security Standards Council, a body made up of the major credit card companies.) Many people have probably heard the admonition to look for “https” at the beginning of a URL, and a padlock icon signifying encryption near the address bar, before entering credit card info into a web form.

“I think just because of the screen sizes it’s a difficult thing,” says Tuvey. Mobile versions of browsers like Chrome and Safari do show the padlock icon, but it’s only a few pixels across; and both mobile and desktop browsers sometimes hide the gobbledygook of web addresses, like “http://” and even the “www” parts. And mobile apps don’t have a standard way to show if they are using an encrypted connection.

So this sounds bad, but how dangerous is it, really, to send sensitive data unencrypted over the Internet? The biggest hazard is often in the immediate physical proximity, through what’s called a man-in-the-middle attack. Someone gets between a computer or cellphone user and their Internet connection, allowing them to comb through all the data that passes to and from the person’s device. This can happen with public Wi-Fi, in which the attacker is logged on to the same network that everyone else is. Or a hacker can create their own network with a mobile hotspot that fits into a backpack. “You can set one up in a coffee shop,” says Tuvey,” call it Free Coffee Wi-Fi, and you’d be amazed how many people just go onto it.”