With the growing use of smart phones and other mobile devices carriers have started to monetize mobile data far more than voice calling and text messaging which means that data prices are rising. Previously unlimited data plans were offered by almost every carrier but now there are far fewer unlimited data plans being offered. This means that most consumers are more conscious about their data usage as they may not be on an unlimited plan. Some mobile devices such as tablets and iPods may not have a cellular connection built into them and only use Wi-Fi as well.
Wi-Fi both paid and free is now available at more and more locations as the demand for that grows. Employees might be wanting to work or check their data from places such as coffee shops, airports, trains, and even the grocery store. The issue with most Wi-Fi hotspots is that the data is not encrypted in any way. This means that data being transmitted that is not encrypted using SSL is readable by anyone listening in, similar to how anyone on the right channel can listen to a radio broadcast. This could mean that if the user is accessing sensitive data that has not been encrypted others could be viewing it and recording it.
Some Wi-Fi hotspots may offer encryption but it could be using weaker security such as WEP, which can be broken in as few as 4 minutes, or WPA, which is vulnerable during the authentication procedure. This could lead to the illusion that the data is secure when in fact it could be compromised. Fake access points are also a concern in some areas as a malicious person could setup a fake access point and use the same SSID as the surrounding access points and most devices would automatically connect to that malicious access point if that were the strongest signal available. This could mean that all traffic transmitted could be recorded by a person using man-in-the-middle and the user may never be aware that such a thing is occurring.
Programs such as Ettercap and SSLStrip can allow an attacker to intercept SSL encrypted traffic and remove the encryption. The attacker could then record all of the transmitted data and either allow the user to view the unencrypted version of the page or still provide an encrypted version that displays a certificate warning to the end user. This means that an untrained person who just accepts an invalid certificate or does not notice the lack of a SSL connection could have all of their transmitted traffic captured.