Sensitive Data Exposure

Sensitive data exposure occurs due to insecure cryptographic storage on your data at rest, in transit or even in the user browser. Strong encryption would be fundamental in securing your sensitive information. Common issues such as failure to encrypt passwords, using custom or old algorithms (such as MD5 or SHA1), poor key managements or un-patched servers are some of the vulnerabilities an attacker can exploit. Prevention Measures

Because of the range of the threats that you need to protect this data from (e.g., insider attack, external user), you must make sure you encrypt, sufficiently, all sensitive data at rest and in transit.

Do not store sensitive data unnecessarily. Data that you don’t have can’t be stolen.
Disable ‘autocomplete’ on all forms that collect sensitive data, and disable caching for pages that contain sensitive data.
Utilize the SALT technique in creating password hashes. A salt is random data added to the hashing process to ensure that every hash of a password produces a unique result which would ensure that an attacker must always compute the hash in a brute-force attack.
Ensure that passwords are stored with an algorithm that is specifically designed for password protection, such as bcrypt, PBKDF2, or scrypt.
Ensure that the transport layer is secured via TLS. Avoid SSL, which was used before it was deemed unsafe due to its significant security flaws. Ensure that the application supports at least TLS v1.0. There are upgraded versions up to TLS v1.2 available, which should be used when possible.
Ensure that server certificates are up-to date, and ensure that you use standard digital certificate providers as mentioned in https://en.wikipedia.org/wiki/Certificate_authority,