Customer Listening Services: User & Consumer Privacy at Risk

Corporations and organizations need to be aware of the ramifications of how they are using internet trackers. Understandably, many organizations leverage internet trackers to produce targeted ads, improve the customer experience, and better understand the voice of their customers. What many companies and organizations may not realize is that they may be unknowingly feeding sensitive data to third-party organizations, putting their customers at risk of theft by cybercriminals and fraudsters and potentially running afoul of privacy laws.

What we are seeing

After receiving information from these application trackers, some third-party companies attempt to use automated processes to filter out, remove, or mask any sensitive information received. That said, the third-party companies lack transparency on the details behind their processes and often fail to sanitize critical data. We are skeptical as to the reliability of these processes, especially as it relates to storage of sensitive data. We are also concerned that cybercriminals could perform a man-in-the-middle (MITM) attack or use something such as a SQL injection attack to grab data from a customer listening session. Based on our research, we feel strongly that this problem is vast and could hit any organization that is doing third-party marketing or customer “listening” campaigns.

This is an issue that arose from the desire to ensure a positive and elegant customer experience. In their efforts to garner meaningful customer feedback, companies began using third-party marketing firms to assist them with awareness or ad campaigns. While marketing teams within these companies are generally the authority on these trackers, the implementation for these trackers often requires technical skills to properly configure them to capture only required information and safeguard sensitive information. All organizations that do online customer listening or marketing campaigns might have a hidden problem, and it has caught the attention of Capitol Hill.

This is an issue that has resulted in publicly filed class action lawsuits for major corporations and organizations, including HBO, AARP, and ESPN. Recently, class action lawsuits have been brought against health care organizations. While it is common for organizations to install tracking tools for marketing and operations purposes, it is important for them to consult with their Information Security, Compliance and Data Privacy, and Legal departments, as well. Understanding what data, they are collecting and how it is being uses is critical to ensuring compliance and protecting data.

How Fortalice can help

• We have already done multiple web app testing cases and it is not a large commitment on behalf of your organization.

• What can you do about it right now? Some steps your organization can take:  
  

1. When implementing and configuring tracking technology, run tests that emulate common website activities, and ensure only data appropriate for the task is collected and transmitted.  

2. To help organizations better understand their risks quickly and efficiently, Fortalice has built a proprietary privacy health check tool to run through your organization's web pages and mobile apps quickly, looking for the worst issues. In our experience, it is never a question about the presence of trackers, rather it is how prevalent they are. If we find an issue, we can fix it for you or coach and mentor your team on how to keep your campaigns running more securely and safely for your organizations and for the privacy of your customers.