With the holiday season upon us and Black Friday right around the corner, retailers are trying to understand why some customers abandon their online shopping carts before pressing “proceed to checkout” or “place your order.” Additionally, the marketing teams at these online retailers are furiously trying to figure out why some sales webpages are more effective than others. To solve these riddles, retailers are increasingly turning to web tracking services and fine-tuning their targeting efforts. But it is not just the retailers, nearly every industry and most companies with an online presence will increase their web and mobile app customer tracking during this busy holiday season.
Corporations and organizations need to be aware of the ramifications of how they are using internet trackers. Understandably, many organizations leverage internet trackers to produce targeted ads, improve the customer experience, and better understand the voice of their customers. What many companies and organizations may not realize is that they may be unknowingly feeding sensitive data to third-party organizations, putting their customers at risk of theft by cybercriminals and fraudsters and potentially running afoul of privacy laws.
What we are seeing
Increasingly, Fortalice experts have found that numerous organizations’ third-party marketing campaign tools (or trackers) are capturing and sending (often unknowingly) their customers’ private and sensitive data to social media companies and big tech platforms (e.g., Meta Pixel, Google Analytics, Microsoft Clarity, Yahoo, LinkedIn, HotJar). Specifically, this information may include personally identifiable information (PII), including full names, email addresses, mailing addresses, cell phone numbers, IP addresses, or, in some case, even health information, including insurance, medical conditions, appointment details, and general patient data.
After receiving information from these application trackers, some third-party companies attempt to use automated processes to filter out, remove, or mask any sensitive information received. That said, the third-party companies lack transparency on the details behind their processes and often fail to sanitize critical data. We are skeptical as to the reliability of these processes, especially as it relates to storage of sensitive data. We are also concerned that cybercriminals could perform a man-in-the-middle (MITM) attack or use something such as a SQL injection attack to grab data from a customer listening session. Based on our research, we feel strongly that this problem is vast and could hit any organization that is doing third-party marketing or customer “listening” campaigns.
This issue crosses three main operating areas in your organization: Marketing, Information Security, and Data Privacy. Marketing needs to be aware of the marketing campaigns running and the tools being utilized. Information Security needs to be aware because the issue presents a potential security vulnerability for the organization. Finally, Data Privacy since the issue is a privacy and compliance issue that crosses multiple regulated and non-regulated industries.
What is the root cause of this issue? How can organizations be unaware of this issue?
This is an issue that arose from the desire to ensure a positive and elegant customer experience. In their efforts to garner meaningful customer feedback, companies began using third-party marketing firms to assist them with awareness or ad campaigns. While marketing teams within these companies are generally the authority on these trackers, the implementation for these trackers often requires technical skills to properly configure them to capture only required information and safeguard sensitive information. All organizations that do online customer listening or marketing campaigns might have a hidden problem, and it has caught the attention of Capitol Hill.
In October, Senator Mark Warner of Virginia put Meta under the microscope for its “practice of collecting user’s health information through tracking applications.” These Pixel trackers collect sensitive data from customers without their consent or knowledge and put healthcare organizations on the hook for major cybersecurity incidents and lawsuits.
The consequences of mishandling customer data
This is an issue that has resulted in publicly filed class action lawsuits for major corporations and organizations, including HBO, AARP, and ESPN. Recently, class action lawsuits have been brought against health care organizations. While it is common for organizations to install tracking tools for marketing and operations purposes, it is important for them to consult with their Information Security, Compliance and Data Privacy, and Legal departments, as well. Understanding what data, they are collecting and how it is being uses is critical to ensuring compliance and protecting data.
How Fortalice can Help
We know technology, marketing, and security teams are stretched way too thin. We have a turnkey approach to assist anyone that needs coaching and mentoring on this issue or a helping technical hand:
What can you do about it right now? Some steps your organization can take:
To help organizations better understand their risks quickly and efficiently, Fortalice has built a proprietary privacy health check tool to run through your organization’s web pages and mobile apps quickly, looking for the worst issues. In our experience, it is never a question about the presence of trackers, rather it is how prevalent they are. If we find an issue, we can fix it for you or coach and mentor your team on how to keep your campaigns running more securely and safely for your organizations and for the privacy of your customers.
Don’t wait until your organization becomes the next headline; take the time today to understand how your organization employs trackers.
To accompany this article, Theresa Payton, CEO of Fortalice Solutions, joined Hillarie McClure, host of the Cybercrime Magazine Podcast, discussed third-party marketing tracking and customer listening services, the lawsuits against them, how they impact user and consumer policy, and more. Listen to the full episode here.
During the course of our investigative work, Fortalice has observed an increasing and alarming trend: personal email compromise is leading to business email compromise. Threat actors will leverage weaknesses regarding executives’ or board members’ personal cybersecurity hygiene to gain access to their business accounts. Extortion also remains a top cybersecurity threat, with organized criminals overseas routinely targeting corporations and the people who support them.
Silicon Valley Bank (SVB) was shuttered early this month and had its deposits seized in the largest U.S. bank failure since the 2008 financial crisis. Although it may seem like SVB’s collapse will only impact its direct customers and depositors, it is far more complicated. Like vultures to roadkill, cyber scammers often wait to exploit and target victims after tragedy strikes, or bad news arises. A perfect storm of stress, uncertainty, and urgency for customers and vendors alike during this time can impair someone’s judgement when they click links and open emails they otherwise would ignore or delete. Fortalice has outlined a few different ways cybercriminals social engineer their victims during times of extreme distress and insecurity.