British Airways fined $233 million – are you protected?
This kind of data breach is increasing in popularity with hackers, becoming progressively more challenging to detect, and can have material financial consequences. In this article, I'll look at the nature of the attack, how you can protect your organization's site, the change in operations needed to remain secure, and how the learnings from this fine also apply to US-based companies.
Hidden tags primer
Here's an example of what lies beneath the NFL's website. Source: Trackermap
The hack comes from the browser
But, every time a user clicked to process their payment, all of their form details - name, address, credit card, CVV - were being serendipitously sent to the hacker's website, too.
This hack turns the user's own browser - and their trust in the website they're using - against them.
There were no databases hacked. No files lifted from servers. All of this happened in the victim's own browser of choice.
How to protect your site
Instead, the onus for this protection falls fully on the owner of the website, in this case British Airways, or, this were to happen to your organization: You.
It's critical that you have a view of all of the code executing in the runtime environment of your site, whether you placed it there, or one of your vendors introduced it into your environment. It is simply not enough to review the source code that your developers have produced. You need to know what the actual, live code-calling-code-calling-code daisy chain absolutely executes in the users' browsers.
Your IT and Web Operations team need to use a tool like this to review the live code every week, if not every day. In the ba.com example, the code ran for three months before discovery. Three months! A tool like this could have helped detect and shut down the hack the day it began.
Impact on businesses
As an industry, we've become complacent with data breaches and leaking customer data. The announcements seem to come and go, and we lose track of the impact they're having on business.
This fine from the UK's ICO highlights that even if the code didn't originate on your server, you are the company serving the code to your users and ultimately responsible for the breach. This fine is 1.5% of all of BA's revenue for 2018. Under the GDPR, organizations can be fined up to 4% of their annual revenue - so this may not be the largest fine we'll see.
In the US, we are not immune to these types of penalties. The California Consumer Privacy Act (CCPA) is introducing a $7,500 per-consumer fine model (which would be an astronomical $3.2 billion maximum fine in the ba.com case). Other privacy regulations being consider around the nation are likewise building in structure fines for poorly managing sites and data.
But you don't have to wait for new regulation. Equifax's credit rating was downgraded by Moody's as a response to the breathtaking $1.35 billion already lost due to their own breach.
Treating customer data is a responsibility we all take on when we engage in data collection and transactions across the internet. Beyond the moral imperative to treat this data securely and safely, failure to do so can have significant, long-term financial costs to your operation.
What should you do now?
First, reach out to your developers and IT leaders to make sure you have some technology in place to monitor and manage hidden third-party tags.
Second, make sure that you move the conversation about privacy and compliance into your customer experience design process. When you build UX for your customers, you're enabling the data collection and transactions that implicitly promise security and safety. Even as a marketing leader, you can't afford to simply assume that IT and legal will make everything ok.
Third, ask questions. What data are you collecting? What purpose does it have? Does asking for this information put you in a position to help the customer or just add to your possible data breach attack surface?
Brands that take these measures seriously and protect the trust their customers have placed in them will be the winners over the next decade. We can all learn from Apple's lead here, where they treat customer privacy, trust, and security as a fundamental feature of their products and services. Will you be a victim or a champion in this new normal? Thinking your company is immune or starting to worry only when the fines and breaches keep happening to other companies is not a good strategy. There could be hidden tags on your website running right now, by taking control to track these you are reducing the risk of them taking control of your customers' data.