Data Leaks, Not Hacks, Are the Fastest Way to Sink a Brand

Protecting user data has never been more crucial – for consumers and brands alike. In the age of data privacy regulations, GDPR in Europe and CCPA in the US, not only do brands without proper protection for shoppers’ personally identifiable information (PPI) risk significant fines, they also have to face a skeptical public that is becoming increasingly concerned about their data.

There is no shortage of data breaches garnering front-page coverage, with Macy’s and Best Buy just the recent victims of a long list of hacks impacting both their bottom lines and reputations. Yet there is an equally problematic issue that receives far less media attention than cyber-attacks – the accidental leakage of data by websites.

The Reality of Data Leaks and the Challenge of Prevention
Accidents happen – via URLs, storage, cookies and a variety of other vectors – and when those accidents involve leaking sensitive data on a site, that exposure can have significant consequences.

In theory, once identified, resolving the problem is straightforward, but in reality, damage control for such inadvertent leaks becomes much more complicated due to the presence of third party vendors on a site.

Why are there third party vendors on consumer-facing sites? To stay current in the crowded and competitive online landscape, businesses are constantly upgrading their site offerings to improve customer experience and increase sales, relying on third party solutions providers. These vendors provide much-needed improvements to a site's functionality: expedited checkout, improved returns, etc., but allowing them access also increases the risk of exposure when data is inadvertently leaked and exposes data to these vendors.

With the number of sites with unintentionally leaked data via URLs, cookies, or storage as high as 92%, this type of third party exposure becomes highly problematic.

Additional Layers of Exposure
While the exposure of PPI to these third party vendors is bad enough, the data doesn’t only reach those vendors that have been engaged by the company – it often ends up also being exposed to the fourth party vendors employed by the third party vendors to help maximize their services.

Indeed, every business has fourth party vendors accessing their sites, with an average of 40% of services on a site powered by these fourth parties. What’s worse, despite their enormous impact and substantial levels of access, the brands, by and large, have no visibility into their data access or other activities.
As long as data is not leaking onto the wrong page, their presence is a non-issue, but once a leakage starts, it’s a different story altogether. Brands are unaware of who these fourth parties are, and therefore – unlike with third parties – damage control becomes exponentially more challenging. Add this lack of visibility to the fact that leaks can go unnoticed for months or years, and it’s not hard to imagine how the damage done by data leakage can cause serious harm to a brand's image.

How Bad Are PII Leaks For Brands?
One needs to look no further than the news to witness the damage that these leaks can cause a brand – both in reputation and financial costs. For example, when British Airways customer data was exposed due to a vulnerability in a third party’s software, not only did the resulting scandal result in substantial brand damage but in a $229 million intended fine.

While the amount may have raised eyebrows, expect more penalties to be levied against companies who fail to protect consumer data. Indeed, this case serves as a stark warning – data accidents are bound to happen, either from the brand itself or via their trusted third-party vendors, so brands must be prepared.

Digital chaos on consumer-facing sites is the rule, not the exception  
Given all of these layers of risk, companies must gain a better awareness of the possibility of unsecured data on their sites. But awareness alone is not enough. 

Monitoring the data accessed by these vendors is crucial – though, as mentioned, no simple task. Websites have dozens of third party vendors, and even more fourth party vendors, accessing their data daily, creating a complex and everchanging ecosystem – especially as old parties leave and new vendors join.  

Companies invest vast resources in building their brands and creating loyalty, as the highly competitive nature of online business requires return customers to drive consistent sales. While site optimization and personalization help to grow loyalty and trust, leaking personal data can undo the accumulated goodwill overnight. If customers decide they can't trust a retailer with their information, they will take their business elsewhere. 

Companies need to make sure that their data protection plans and platforms are doing more than keeping hackers at bay. Until brands tackle the other elements of digital chaos, including those potentially caused by their site vendors, leaks are only going to get worse. Preventing breaches is no small matter. Finding data leaks is another challenge entirely.

What’s Hot on Infosecurity Magazine?