Could Your Website Be Leaking Sensitive Data?
December 16, 2019
by Tirtza Giles
For today’s companies, even a single webpage can serve a wide variety of purposes – including selling products, gathering analytics, generating user profiles, and conducting A/B testing. At the heart of many of these business goals is the collection of consumer details.
So, if your business collects personal information from customers and prospective customers online, you’re in good company. But, if you’re worried that these details could be exposed to bad actors, your concerns are well founded.
The reality is that many companies’ websites do leave sensitive data – including personally identifiable information (PII) – exposed to hackers and others who are eager to use these details for unethical and even illegal purposes. In fact, our large-scale data analysis has found that at least 92% of companies’ websites unknowingly leak data through their cookies, URLs, and/or storage. As a result, these companies face significant legal risk – particularly in light of groundbreaking consumer privacy laws such as the GDPR and the CCPA.
How is sensitive data accidentally leaked?
Much of the danger of accidental data leakage stems from the widespread reliance of today’s websites on embedded third-party services. Rather than building websites from scratch, many companies use these services to offer enhanced customer experiences and gather useful insights. While this approach to web development offers these businesses an efficient way to incorporate high-quality technologies into their websites without needing to invest the time and resources to develop them in-house, it also requires them to cede some control over their own online presence.
By default, when a third-party service is embedded into a webpage, that service has access to any data accessed by that page – including the page’s cookies, URL, and storage. In other words, should a page’s URL, cookies, or storage contain sensitive information (which at least 92% of companies’ websites do), that information would likely be exposed to any third-party services embedded into that page. Furthermore, even if the vendor behind an embedded third-party service has no ulterior motive for collecting information from a webpage, there is a risk that that service could be hacked, enabling cybercriminals to steal this information.
Adding to the risk, many third-party services themselves rely on embedded services – often giving fourth parties access to information from a webpage. In fact, the data that we at Namogoo have gathered and analyzed shows that 40% of websites’ embedded services come from fourth parties. This can result in situations in which sensitive information about a company’s customers could be available to vendors that the company’s developers are not even familiar with.
All of this makes it especially important for every company both to know which third- and fourth-party vendors have access to details from its website and to ensure that sensitive data is not being leaked to these companies inadvertently. When businesses fail to maintain these standards, they can find themselves facing significant legal danger.
Lessons from a major retailer’s close call
One example of this type of data leakage that we at Namogoo have seen occurred within the website of a large retailer in the U.S. We notified the company after we saw that some of its webpages’ URLs included its customers’ credit card numbers. Given the way the retailers’ site worked at the time, third-party services embedded into the affected webpages could have been able to steal hundreds of thousands of customers’ credit card numbers.
Once we alerted the company to this risk, it notified the vendors whose services could have been exposed to these credit card numbers, requesting that those businesses delete this sensitive information. Then, the retailer changed its code to prevent such sensitive details from being included in its webpages’ URLs in the future. As a result, it averted a potential crisis before bad actors could exploit this vulnerability.
Had this retailer not known about that vulnerability, the story could have ended very differently. For example, when British Airways fell victim to a large-scale data breach last year (apparently via third-party scripts), the cybersecurity failures that allowed for the data breach eventually resulted in a $229 million fine.
Taken together, the stories of the retailer and the airline illustrate a few key facts about the risk of data leakage that businesses should keep in mind:
- Major websites that collect sensitive customer details, such as credit card numbers, can be vulnerable to the leakage of that information.
- Without adequate safeguards, these details can be left exposed to third-party services – creating the potential for data breaches that can result in massive fines.
- A company can mitigate this risk by monitoring the third-party services embedded into its website, the information these services have access to, and any changes in the way third parties can gather data from its site.
In short, the differences between the two businesses’ stories largely boil down to each company’s awareness of what was really going on within its own website. That’s the key reason that, although both the airline and the retailer had security issues that put their customers’ credit card numbers at risk, only the retailer was able to resolve the problem in time to prevent a major data breach.
What does all of this mean for your business? If your website is one of the many that both collects customer details and has embedded third-party (and even fourth-party) services, it is essential to keep tabs on those services and the data they can access from your site. We know the bad actors are out there, looking to take advantage of vulnerabilities within companies’ websites, including data leakage. Only through consistent monitoring can you reliably detect and eliminate your own site’s leakage of sensitive customer details.
How vulnerable is your website to data leakage and other dangers stemming from its use of third-party services? To find out, you can get a free privacy risk analysis.