GDPR Compliance Risks on Websites

Authored by Matt O’Neill, General Manager, Europe, The Media Trust. 

The way the cookie crumbles


Today’s websites and apps (your corporate website included) are powered by sophisticated technology. After all, in order support consumer expectations—content consumption, search, social networking, shopping carts, travel booking, banking, news, gaming and so much more—websites incorporate robust solutions on the backend.

These solutions aren’t news to most InfoSec professionals, but it is where security problems start. Think about it. Almost 80% of a typical website’s functionality is outsourced to vendors providing specialized services such as data management platforms, marketing analytics, customer identification, image or video hosting, payment processing, content delivery and more. This third-party code operates outside the purview of your IT and security infrastructure, which means that you control less than 25% of the code executing on your website. As the website operator, you have no insight into when this code is compromised to act as a conduit for malware propagation and unauthorized audience data collection. Considering the current regulatory environment around data compliance, the above statistics should make you nervous.

Cookie crumbs

To put it bluntly: You can’t control what you don’t see, and the third-party code enabled functionalities on your digital properties are compromised more often than you think. Also, you have more third-party code than you realize.

As the security provider of choice for the world’s largest digital properties, The Media Trust scans websites for security and policy violations and actively manages more than 500 incidents at any one time. Some of the simplest websites average 10 third-party vendors, but most have dozens. The vendors continuously change and so do their actions.

The Media Trust’s website security and scanning team often detects persistent or unauthorized cookies with a lifespan of 30 years or more; one brand name ecommerce website recently dropped a 7,000+ year cookie. This is a huge issue with the EU’s General Data Protection Regulation (GDPR) which goes into effect in less than a year. Compliance to GDPR requires detailed, real-time, knowledge of executing digital partners and their activity, including the type of data collected and how long the partner remains on the user’s device, i.e., browser, phone, tablet, etc.

If you are wondering how GDPR affects your business, then you’ve got a lot of catching up to do. GDPR supports the data protection rights of every EU resident, therefore every business with EU interests—in the form of customers, legal entities, business infrastructure, etc.—needs to comply. And, the global nature of the internet means any business with EU website traffic or app users needs to comply as well.

Clearly, enterprises should make some changes to digital operations in order to reduce exposure to GDPR violations. At a minimum, you need to do the following for all your digital properties—websites (desktop and mobile) and mobile apps included:

1. Communicate privacy policy

  • Write a clear privacy policy that explains use of third-party code and outlines any data collection activity
  • Place banner on homepage
  • Deliver Internal training

2. Provide easy-to-use opt in/ opt out mechanism

  • Explain need for tracking and how cookies are used to drive digital operations
  • Share links to individual privacy policies of all in-scope vendors on your site
  • Allow individuals to explicitly agree and/or refuse tracking

3. Understand how website/app-generated data is acquired, used & stored

  • Identify data: Registration, Cookies, IP addresses, device IDs
  • Assess the legal basis to collect data and determine if consent is necessary, e.g., Personally Identifiable Information (PII) vs. transaction functionality, etc.
  • Evaluate need for a specific policy regarding data collection of minor activity (16 years old in GDPR; under 13 years old in U.K. and U.S.)

4. Support data portability

5. Incorporate website intrusion in data breach reporting

While the GDPR mandate for websites has been clearly laid out, meeting it is easier said than done! With the fines for noncompliance enumerated in the regulation (between 4% of global revenues or €20 Million), InfoSec is under pressure from internal risk and compliance professionals to ensure all data elements are documented, assessed and controlled.   

Ignorance is real. So is anarchy.

With such a tall order, it is disturbing that so many InfoSec professionals overlook the perils of third-party vendor code going unchecked. Companies desperately need to incorporate digital vendors into their vendor risk management program. Most website/app operators are in the dark about how many direct and indirect vendors contribute to code on their site and who these vendors are, let alone know how many domains and cookies these vendors use to track website visitors.

Digital vendor risk management will highlight the security and compliance gaps inherent in the digital environment. For example, there really isn’t a clear chain of command when it comes to authorizing the presence of third-party vendors executing on a website. It is a fairly decentralized process, with departments like marketing, sales, IT, risk and legal all making decisions regarding the vendors they would like to use for various website functionalities. This makes creating accountability challenging, with most issues relegated to the IT and security departments to solve.

Putting the “Digital” in Vendor Risk Management

Yes, the odds are stacked against website operators, but creating a holistic digital vendor risk management program isn’t impossible. To create a risk management and GDPR compliance program for your digital properties, you should be able to answer the following:

Within 2 weeks:

  1. How many third-party vendors execute in websites and mobile apps
  2. What are the names of these vendors?
  3. What exactly are they doing, i.e., intended purpose and also additional, out-of-scope activity?

Within 1 month:

4. Do we have contracts to authorize the scope of the work?
5. How does third-party vendor activity affect overall website/app performance?
6. What are the risks to data privacy?
7. What is my exposure to regulatory risk via vendor behavior?

Within 3 months:

8. Am I maintaining encryption throughout the call chain?
9. As these vendors change over time, what is the process to identify new vendors and their activity on websites and apps?
10. If the corporate website isn’t fully secure, what happens when employees visit the site? Is the enterprise network at risk?

Once you’ve been able to answer the above questions, within a year’s time, you should be able to create comprehensive digital vendor governance process that looks like this:

GDPR Complian Blog Post Image

Leaving the light on…and exposing visitors to malware

Hotel websites are vulnerable to malware and data leakage

Hotel website security

The hotel industry is poised for continued growth in 2015, coming off a stellar 2014 which saw occupancy rise to levels not seen in more than 20 years. With the World Tourism Organization projecting more than 1.4 billion international journeys in the year 2020, you can bet that hotel websites will play a central role in fulfilling these travel needs.

What are hotels doing to secure a share of this volume? Many incorporate video, add feedback collection and recommendation features, leverage blogs, or enhance the content management system. These various services provide for a more interactive and engaging website, as well as enable the site to be optimized. But, did you know that they also represent an entry point for malware and data leakage that can expose a customer’s personally identifiable information?

Yes, hotel ecommerce sites are rife with third-party vendors. As outlined in our recent blog post, brand and ecommerce site managers are not doing enough to protect the online and mobile environment FOR their customers. And hotel websites are no different. In fact, current industry rumors point to a manipulation of an account-checking tool used by a major hotel chain. The compromised tool, in concert with stolen passwords, allowed fraudsters to open new accounts and transfer rewards points which were then exchanged for gift cards. So that got The Media Trust thinking about other website vulnerabilities faced by hotels.

In early December, The Media Trust analyzed the 34 top hotel websites, as listed in STORES magazine’s annual “2013 Top 250 Global Hotels” report published in January 2014. Analysis involved the scanning of all public-facing website pages and the capture of all third-party vendors, domains and cookies present on each hotel’s site.

Over a seven-day period, The Media Trust’s Media Scanner scanned each hotel’s website homepage and major sections 250 times a day—a total 1,750 scans across each site. Each scan executed the web page as if being viewed by a typical consumer, and collected and analyzed all third-party code, content and text for security, latency and data leakage issues. Leveraging our presence in more than 500 global locations, The Media Trust replicated a true user experience as if a real consumer visited the website, and therefore did not have the ability to collect actual visitor data.

The results were interesting. The average site utilized 47 different domains, 31 vendors and 65 cookies; however, some outlier hotel sites used as many as 134 domains and 148 cookies.

                                      Average       High

            Domains:             47              134
Vendors:              31                57
Cookies:              65              148

What does this mean? That’s a good question. In theory, low numbers are preferred from a manageability perspective as each domain, vendor or cookie represents an access point to or action on a site—the fewer utilized in site operation, the fewer to manage. However, the reality is that a sizeable number of third-party vendors, domains and cookies are found on most sites as they provide the interactive and engaging functionality executing on browsers.

This functionality comes at a cost. Each third-party vendor represents an access point that could be compromised and serve malware; or, redirect visitors to another, possibly malicious, website or app; or, secretly collect website visitor (first-party) data. In addition, each third party can call dozens of fourth or fifth parties which exponentially increases the risk to site visitors.

Browser cookies provide essential site functions, including the ability to navigate without repeating data entry such as destination, travel dates and room requirements. However, the process of dropping the cookie can easily be compromised by an unauthorized party piggybacking on the cookie. In addition, some third-party vendors drop cookies to collect website visitor/first-party data without website owner/operator knowledge. Known as “data leakage”, these cookies track valuable user behavior—data about guests, their interests and travel periods—which can be resold into the online ecosystem for customer targeting by competitors or industry partners. If that data includes personally identifiable information (PII) the website owner/operator could be subject to data privacy violations. With state attorneys general and the federal government cracking down on PII, hotels must be mindful of public-facing website properties and what is executing on visitor browsers.

Hotel websites are vulnerable to data leakage and malware, and this vulnerability opens the door to litigation and significant brand damage. For these reasons website owner/operators need to thoroughly identify, approve and monitor third-party vendors and their activities at all times.

The big question is: How are the major hotel chains managing their public-facing websites to protect their customers?