Experts Blog

With the holiday season upon us and Black Friday right around the corner, retailers are trying to understand why some customers abandon their online shopping carts before pressing “proceed to checkout” or “place your order.” Additionally, the marketing teams at these online retailers are furiously trying to figure out why some sales webpages are more effective than others. To solve these riddles, retailers are increasingly turning to web tracking services and fine-tuning their targeting efforts. But it is not just the retailers, nearly every industry and most companies with an online presence will increase their web and mobile app customer tracking during this busy holiday season. 

Corporations and organizations need to be aware of the ramifications of how they are using internet trackers. Understandably, many organizations leverage internet trackers to produce targeted ads, improve the customer experience, and better understand the voice of their customers. What many companies and organizations may not realize is that they may be unknowingly feeding sensitive data to third-party organizations, putting their customers at risk of theft by cybercriminals and fraudsters and potentially running afoul of privacy laws.

What we are seeing

Increasingly, Fortalice experts have found that numerous organizations’ third-party marketing campaign tools (or trackers) are capturing and sending (often unknowingly) their customers’ private and sensitive data to social media companies and big tech platforms (e.g., Meta Pixel, Google Analytics, Microsoft Clarity, Yahoo, LinkedIn, HotJar). Specifically, this information may include personally identifiable information (PII), including full names, email addresses, mailing addresses, cell phone numbers, IP addresses, or, in some case, even health information, including insurance, medical conditions, appointment details, and general patient data.

After receiving information from these application trackers, some third-party companies attempt to use automated processes to filter out, remove, or mask any sensitive information received. That said, the third-party companies lack transparency on the details behind their processes and often fail to sanitize critical data. We are skeptical as to the reliability of these processes, especially as it relates to storage of sensitive data. We are also concerned that cybercriminals could perform a man-in-the-middle (MITM) attack or use something such as a SQL injection attack to grab data from a customer listening session. Based on our research, we feel strongly that this problem is vast and could hit any organization that is doing third-party marketing or customer “listening” campaigns.

This issue crosses three main operating areas in your organization: Marketing, Information Security, and Data Privacy. Marketing needs to be aware of the marketing campaigns running and the tools being utilized. Information Security needs to be aware because the issue presents a potential security vulnerability for the organization. Finally, Data Privacy since the issue is a privacy and compliance issue that crosses multiple regulated and non-regulated industries.  

What is the root cause of this issue? How can organizations be unaware of this issue?

This is an issue that arose from the desire to ensure a positive and elegant customer experience. In their efforts to garner meaningful customer feedback, companies began using third-party marketing firms to assist them with awareness or ad campaigns. While marketing teams within these companies are generally the authority on these trackers, the implementation for these trackers often requires technical skills to properly configure them to capture only required information and safeguard sensitive information. All organizations that do online customer listening or marketing campaigns might have a hidden problem, and it has caught the attention of Capitol Hill.

In October, Senator Mark Warner of Virginia put Meta under the microscope for its “practice of collecting user’s health information through tracking applications.” These Pixel trackers collect sensitive data from customers without their consent or knowledge and put healthcare organizations on the hook for major cybersecurity incidents and lawsuits. 

The consequences of mishandling customer data

This is an issue that has resulted in publicly filed class action lawsuits for major corporations and organizations, including HBO, AARP, and ESPN. Recently, class action lawsuits have been brought against health care organizations. While it is common for organizations to install tracking tools for marketing and operations purposes, it is important for them to consult with their Information Security, Compliance and Data Privacy, and Legal departments, as well. Understanding what data, they are collecting and how it is being uses is critical to ensuring compliance and protecting data.

How Fortalice can Help

We know technology, marketing, and security teams are stretched way too thin. We have a turnkey approach to assist anyone that needs coaching and mentoring on this issue or a helping technical hand:

• Fortalice Fix: This problem, although hidden, can be remedied. If your developer team is too busy right now to look through your pages and mobile apps. Fortalice is ready to help you identify the issue.
• We have already done multiple web app testing cases and it is not a large commitment on behalf of your organization.
• This issue has hit energy companies, internet companies, media/entertainment companies, healthcare, and it is just a matter of time before every company deals with this issue.

What can you do about it right now? Some steps your organization can take:  

1. Discover where trackers are deployed. Fortalice has identified situations in which a tracker, or code related to tracking functions, has been deployed on web pages unknowingly, in unconventional ways, and without the organization’s full knowledge.  
2. Develop a process for vetting and approving the use of tracking and similar technology, including IT Security, Data Privacy and Compliance, and Legal in the discussion.  
3. When implementing and configuring tracking technology, run tests that emulate common website activities, and ensure only data appropriate for the task is collected and transmitted.  
4. Ensure your Privacy Policy clearly explains the use of tracking technology, and where required, provide a means for users to “opt-out” of tracking cookies.

To help organizations better understand their risks quickly and efficiently, Fortalice has built a proprietary privacy health check tool to run through your organization’s web pages and mobile apps quickly, looking for the worst issues. In our experience, it is never a question about the presence of trackers, rather it is how prevalent they are. If we find an issue, we can fix it for you or coach and mentor your team on how to keep your campaigns running more securely and safely for your organizations and for the privacy of your customers.

Don’t wait until your organization becomes the next headline; take the time today to understand how your organization employs trackers.

‍

To accompany this article, Theresa Payton, CEO of Fortalice Solutions, joined Hillarie McClure, host of the Cybercrime Magazine Podcast, discussed third-party marketing tracking and customer listening services, the lawsuits against them, how they impact user and consumer policy, and more. Listen to the full episode here.