Guilty by association: The reality of online retail third-party data leaks

Online retail activity continues to accelerate at a rampant pace and shows no signs of slowing down. According to the National Retail Federation (NRF), U.S. retail sales are expected to rise between 3.8 and 4.4 percent to more than $3.8 trillion in 2019.

That being said, the risks involved with online retail, for both brands and consumers, have never been greater. According to Trustwave’s 2018 Global Security Report, the retail industry suffered more data breach incidents in 2017 than any other sector as attackers become more organized and targeted with their efforts. Furthermore, the retail industry is notorious for poor application security, ranking 17th of 18 measured sectors by the 2018 Retail Cybersecurity Report.

Poor application security is particularly concerning for online retailers as their website ecosystems are littered with a myriad of third and fourth-party services to enhance the customer experience and drive increased brand engagement. These services include everything from live chat and custom fonts to product reviews and gifting apps. These same engagement boosters, however, can do more harm than good if hackers can exploit partners’ poor security standards or vulnerabilities within their solutions.

A prime example of third-party services leading to potentially disastrous financial and reputational impact on retailers is that of credit card numbers being leaked to website URLs on sensitive pages along the customer journey. Because of this type of data leak, all the third and fourth-party services that collect URL data on these pages also receive highly-sensitive credit card information, which in turn can easily be used for malicious activity.

This situation has been encountered by some of the world’s largest retail brands and if not handled properly, holds dire consequences. A 2018 report from cybersecurity firm Shape Security tells us that 80-90 percent of people logging into user accounts on a retailer’s eCommerce site are hackers using stolen data, in many cases, stolen credit card information.

Identifying the problem

The first and most important challenge retailers face in the situation of third-party services inadvertently collecting customer credit card data is understanding the scope of the problem. The website services ecosystem is a dynamic, rapidly changing environment with different lines of business and departments constantly adding new third-party services, with many of those calling on fourth-party services.

Gaining visibility into all third and fourth-party services running on a retailer’s website, and the entirety of raw data associated with the leak is the first step in this process of understanding. But, knowing exactly what information was collected by each outside service and at what point in the customer journey, to which audience (device, browser, OS, site section, geography), the volume of credit cards affected, and the actual credit card numbers in order to check these against business activities and identify if anyone had made a purchase, is key in taking appropriate action to mitigate subsequent risk. Gaining this level of understanding by manually mapping all the services running on an eCommerce site, across all user populations in a timely manner, is practically impossible, and automation must be employed.

Taking action

Only once this detailed level of understanding is achieved can retailers take appropriate action in notifying those affected. This starts with the third and fourth-party services who have been identified as inadvertently collecting PII and PCI data. In many cases, such services are blind to this collection as they are interacting with so many different website ecosystems, not just in the eCommerce space, that dataflow back and forth is not properly measured or acted upon. Next comes individual customers.

By understanding detailed credit card information, only then will a retailer be able to identify and alert impacted customers to remove illegal purchases from their accounts and/or credit cards.

Proactive protection

Unfortunately for retailers, rarely is this an isolated incident. Once an initial leak and the scope of the problem has been identified, and impacted parties have been alerted, retailers also must continuously monitor the situation to ensure further leaks don’t ensue and must instill processes to alert them if additional sensitive information is exposed to outside services.

Yet, to get ahead of the situation and stop trouble before it starts, there are several steps retailers can proactively take. First, retailers should meticulously audit and evaluate all third-party applications, as well as any additional services they rely on before they are officially implemented. This rigorous assessment procedure allows brands to gain the visibility needed to fully understand the different entry points attackers could attempt to penetrate and utilize leaked credit card information for malicious activity. In addition, auditing can help them answer important questions related to faulty lines of code and potential loopholes hackers could try to take advantage of.

In addition to auditing prior to implementation, acquiring a detailed snapshot of all the third-party services currently operating within a retailer’s website ecosystems is greatly beneficial. This simple punch list improves overall performance and helps security staff ensure that proper patching is completed and malicious code modifications can be detected and eliminated as quickly as possible.

At the end of the day, a customer impacted by a breach, leak, or hack will not care whether their sensitive information was obtained directly from the retailer, or from one of the many third-party services employed to enhance brand experience. That is why it is of the utmost importance that brands implement processes enabling them to fully understand the outside services they work with and the entirety of data that is shared with them, inadvertently or not.