Published on June 11th, 2020
Written by Deepika Gajaria, Senior Director, Product Management

Data protection, controls and compliance don’t have to be an onerous obligation. With the right approach, you can turn it into a key differentiator for your business, says Tala’s Director of Product Management, Deepika Gajaria.

Data privacy and protection are fundamental aspects of every business with a digital footprint.

Compliance isn’t just about meeting legal obligations; as many businesses have learned, breaches cost money in fines, reputational damage, compensation claims and lost business.

  • In 2019, British Airways was fined a record £183m for a breach of the personal data of over 500m customers following a Magecart-type formjacking attack.
  • Polish online shopping company Morele.net was fined €650,000 in 2019 for a breach of more than 2m customer personal details.
  • In January 2020, US retailer Hannah Andersson became the first company to face a class action suit under the new CCPA regulations, following a breach of customer credit card details on its eCommerce site. Because the site was hosted by Salesforce, the CRM giant is also part of the complaint.

GDPR and CCPA are the headline-grabbers on a fairly lengthy line up that includes HIPAA, PCI-DSS, APP (Australia) and PIPEDA (Canada). Most businesses are aware of their obligations and have implemented strategies and cybersecurity solutions to help secure their data. But some key assets are often overlooked, including web applications and websites with an average of 30 third-party integrations.

Rich user experience can create significant vulnerability

Modern web architecture creates an environment where up to 70% of the code rendering on websites today comes not from the site owner’s server, but via JavaScript integrations operating outside the security controls the majority of site owners deploy. Think chatbots, marketing analytics tools, location services - these integrations provide a rich, dynamic web experience. But they’re also vulnerable to attack by data thieves and cybercriminals in search of credentials, PII or credit card details. These are typically stolen by a ‘skimming’-type attack, where malicious JavaScript captures a copy of a user’s entry into a web form. This doesn’t happen in a single “mugging” incident of an individual user’s data; by compromising a widely used 3rd party component, attacks can “mug” multiple users on as many different sites as they wish, all exploiting the same vulnerability. But even that’s not the whole story: there are many ways hackers can exploit JS to access sensitive data - and many types of data they can steal, from credit card information to sensitive personal data and even geolocation information.

You can’t secure what you don’t know is there

All too often, organizations don’t have a handle on just how many of these integrations are running on their websites, never mind who/how their security is being managed. This is sometimes referred to as the website supply chain and it generally operates via unmanaged and unmonitored connections. What that means in real terms is that customer data is at risk every time they log in or enter their personal information, fill out a form or simply visit your website.

It’s not just about customer-entered data, either: sensitive data stored in persistent cookies (such as username and password) is vulnerable to exploit and can be used to enable attacks such as session hijacking, account takeovers and PII breaches. Web storage objects can also be exploited: capable of storing up to 5MB of information that can survive a page refresh or even a browser restart, locally stored web objects can be accessed and compromised via JavaScript running on your web page.

Most organizations implement security designed to secure their web servers from attack, but fail to consider the security necessary to protect their customers from their website. This client-side vulnerability is widespread. Without controls, data privacy is impossible to assure.

What this means is that enterprises are inadvertently breaching privacy regulations like GDPR or CCPA: If you don’t know WHO has access to WHAT information and WHERE that data is going to - not to mention the controls in place at that third-party destination, odds are you’re in breach of the regulations. Now, you’re not just exposing your customers to risk, you’re also exposing your business to damages arising from regulatory enforcement fines, remediation costs and brand damage.

98% of websites use forms to collect PII and financial data from users. Due to reliance on third-party integrations, this data is exposed to an average of almost 16 third-party domains. In other words, user form data is exposed to an order of magnitude more domains than is intended by the website owner. That’s a lot of risk for both you and your customers.

What can website owners do?

Start by taking stock: What third-party software are you running? Who are the third parties collecting this data? You might be surprised to learn just how many are there - all capable of gathering data and presenting an attack surface you can’t protect because you don’t know it’s there. The average website relies on 31 third parties - how many are running on yours?

The next step involves understanding what personal data is actually visible to which third party. Enterprises rely on multiple third-party services, including chatbots, SEO tools, advertising etc. As mentioned earlier, any scripts running on a page have access to all that data on that page. Regulations like CCPA and GDPR require data privacy assurance and give consumers control and visibility into the data enterprises are allowed to collect, store and share.

Website owners are directly responsible for the protection of all PII data on their websites. A breach could cost millions in regulatory fines - not to mention remediation, reputational damage and lost business. Which brings us to the third - and potentially most important - area: Where is the critical data being collected by third parties going to? Why are they collecting it and what are they doing with it? Is it proportionate?

Making data protection a differentiator is easy with Tala

When it comes to online transactions, trust is everything. 62% of consumers aren’t confident their personal data is secure with retailers. By complying with data protection regulations, you’re not only satisfying the regulator, you’re giving your customers the confidence to do business with you.

The good news is that most modern web browsers (both PC and mobile) are designed to include fine-grained security controls and standards to monitor and block unauthorized access by third party scripts. Tala automates the activation of these expert-developed security controls, bringing AI-driven threat intelligence to help every website owner identify and control the third party code running on their sites. Critically, because these controls exist in the browser, there is zero impact on website performance.

  • Tala analyzes xhr requests to discover the JavaScript libraries that have access to sensitive data, giving the flexibility to control access. Sensitive data can reside in multiple locations, it can be routed via forms, captured in cookies or stored in local or session storage. To develop a complete view into sensitive data exposure, it is critical to track and restrict all of these components.
  • Tala analyzes all forms, cookies and storage that exist on a website, including long-forgotten, obsolete pages, ensuring full insight and awareness of all third-party code operating on the site that may have access to sensitive data.
  • Tala provides a view of the PII data each third party has access to, enabling the business to adjust permissions for certain vendors, depending on the data they require.

 

Pii Analysis and Monitoring v2

 

Tala’s standards-based policy generation engine

Tala automatically generates client-side (browser) policies to prevent browser attacks like XSS and Magecart. Tala’s policies are built on industry-developed standards, including Content Security Policy (CSP), Subresource Integrity (SRI), Strict Transport (HSTS), Sandboxing (iFrame rules) and referrer policy, which are baked into the code of all major PC and mobile browsers.

These policies, when applied in combination, can provide protection against sophisticated attacks and manipulation of both first party and third party code. In particular, a new and upcoming feature within browsers called feature-policy allows website owners to specify which domains can access sensitive user information and resources. For example, feature-policy allows a website to block a third-party script from accessing a user’s microphone or camera.

Tala protects sensitive data

With new privacy and data protection regulations in place, website owners must prioritize restricting access to sensitive user data so that their websites don’t become conduits for data breaches or privacy regulations. To find out more about the risks specific to your organization, Tala can provide a Website Risk Analysis to highlight client-side vulnerabilities on your web properties. Tala advocates both understanding risk and enabling standards-based, browser-native controls. We help organizations deploy and dynamically tune these capabilities to ensure continuous client-side security, with zero impact on performance.

 

 

 

Deepika Gajaria, Senior Director, Product Management
Author

Deepika Gajaria, Senior Director, Product Management

Senior Director Product Management

Find Deepika on LinkedIn

 

Sign up for our Newsletter

Hand-picked security content for security professionals.