What You Don’t Know Can Hurt You: The Risks of Third Party Apps

It’s a fundamental principle of both privacy and security that you must know what data you have, where it is – both at rest and in transit – and what you’re doing with it. Without a complete knowledge of these three things, you cannot truly say that you’re protecting the data in your care.

These are the basics upon which you construct your privacy and security programs, and they’re the basis of your agreements with your customers.

It’s 2021, so let’s assume that you have solid privacy and security programs, and you’ve done inventories and looked at data flows. And because privacy is important now, you’ve made sure what you do with the data is consistent with what you’ve told customers you’re doing with it.

You are generally squared away with respect to the things your company and its major vendors are doing. You’ve done risk assessments, and you have appropriate measures in place to protect your data from a range of threats.

That’s great; you’re doing well. 

However, you probably still have a gap: third parties that have a presence on your website.

Almost every site has them; they provide a variety of useful services from page usage data to personalized news feeds to payment pages. They’re critical web infrastructure.

You may feel that the risks associated with third-party apps are relatively small, but they’re real, they’re becoming more and more of an issue, and you need to know about them and be sure you have them under control. Even if you have a handle on them, chances are you need to fill in some parts of the picture.

Privacy Issues

The fundamental privacy problem with third parties you don’t know about is that your customers don’t know about them either. From a relationship perspective, that can lead to unpleasant surprises if other organizations suddenly seem to know about what they were looking for on your site.

If you’re dealing with sensitive topics (if you’re a health site, do you want Facebook knowing your users have looked at a page on getting help with substance addiction?) it’s obviously pretty serious. Tags and cookies do exist on health reference sites, for example.

It’s even worse if you’re regulated under a jurisdiction where you’re required to notify site users about cookies and uses of their data, for example, if you’re dealing with users within the EEA (GDPR) or in California (CCPA, soon CPRA).

If you don’t know something is happening, you can’t notify your users, so you may be out of compliance. Since some of these transfers of data are treated as selling personal information under CCPA/CPRA or engaging in automated behavioral profiling under GDPR, it is especially important for you to know they are happening as they may trigger additional obligations.

Third parties may not be invisible to your users, either, since there are now public domain tools that will show them at least some of the third-party presence.

Security Issues

From a security perspective, anything that’s happening on your website that you don’t know about is a source of risk. It’s even worse when those activities become a route for attackers to invade your environment. And attack routes they become.

Third parties with a presence on your site may themselves be vulnerable to attacks in ways you would not be, and the fact that they’ve been compromised is often invisible to you.  

One example is Magecart, a group of cybercriminals who steal payment card information from people using online payment pages. They do this by compromising third-party code present on the payment page — and there is usually code from many third parties present — either directly or via supply-chain attacks.

In other words, it may not even be a third party you know about that gets compromised; it may be one or more levels farther back. This means that you can’t rely on even trusted third parties to warn you, as they themselves may not know until it is too late.

Business Consequences

Obviously, if privacy or security problems on your site lead to a publicized incident. This is especially likely if you’re under regulation with mandatory reporting, or if the incident is big. 

You can suffer financial damage in terms of remediation, possibly credit protection for affected customers, and lost revenue. You can also suffer brand damage, as customers flee your site to one which hasn’t yet been hit by a breach.

Less dramatically, even when some kinds of tags and cookies are working well, they can lead to other sites getting to advertise products to people who viewed those products on your site, thus stealing your customers away.

Lokker’s Privacy Automation Helps You See and Protect

Our 3rd-party app controlling technology offers a range of products designed to provide clarity, insights, and practical fixes to completely control browser interaction points. Lokker will show you what third parties are accessing your users’ data, where they are taking it, and who they are sharing it with.

Our website privacy reports expose PII data leaks down multiple layers (some notable examples show PII data traveling out to the 27th party level), tracing the chain, which often reveals some surprises for companies who previously thought they had control of their customer data.

In and of itself, this data leak information will give you knowledge about your environment you don’t have today. But we go beyond that: our Website Privacy Scans & Reports assess threats, help you prioritize actions, and provide you the tools you need to fix problems with specific third parties or across the board.

We employ privacy experts who can walk you through the action steps so you can fix your site. Not all third parties are bad, and you can selectively decide which will receive information and which will not.

Understand that the web environment is dynamic. The landscape continually changes. A third party that is safe and trusted today could be compromised next week or tomorrow.

Worse yet, some attackers are smart and only act intermittently, making them harder to spot.  Some even learn to hide from regular scans. This is why Lokker will watch your environment continuously, alerting you to changes in 3rd party apps and data flows that may indicate a problem.

Lokker delivers what you need to fully understand and control your environment, and to protect your customers.

 

Author:
J.D., CISSP, CIPM, CIPP/E, FIP. Expertise in law, technology, information security, data privacy, healthcare analytics, and healthcare. Develops privacy and security programs; collaborates across the company to deliver creative solutions while ensuring the privacy and security of data. Passionate about creating a culture where all employees understand the importance of handling data correctly, recognize and speak up about potential issues, and are actively engaged in the process. Experience with Privacy Regulations (HIPAA, GDPR, CCPA etc.), Formal Certifications (ISO, SOC, HITECH, EHNAC), and De-Identification of Data.