Learn how an advanced risk management solution prevented a major retail client from getting into trouble due to misconfigured cookie management policies. This is not a malicious act, but because modern networking environments are so complex, mistakes can happen, and non-compliance fines could simply be an oversight.
download Full case study here.
When you were a kid, were you ever scolded for getting caught putting your hand in the cookie jar? Well, even if you remember being revealed as Cookie Monster, today’s rogue beast is being punished even more severely. Worse still are millions of dollars.
Cookies are an essential part of modern web analytics. A cookie is a small piece of text data used to record the preferences and behavior of website visitors to help personalize their browsing experience. Just like years ago when you needed parental consent to access a cookie jar, your business now needs to obtain user consent before injecting cookies into their browsers and then storing or sharing information about their browsing habits.
As the custodian of your website’s cookie jar, your business can’t raid it like you did when you were six years old. In both cases, you have to get permission, but these days the penalty can be hefty fines from data privacy regulators and expensive lawsuits from users.
A new case study from leading website security company Reflectiz highlights how its advanced exposure management solution prevented a major retail client from getting into trouble due to misconfigured cookie management policies. This is not something malicious like a web browsing or keylogging attack, but because the modern web environment is so complex and companies like this have hundreds of websites to maintain, errors can happen and a non-compliance fine can be just a negligence.
To get the full story, you can download the case study here.
Some knowledge about tracking cookies
Tracking cookies have been around since the dawn of the web. In 1994, Lou Montulli, a programmer employed by the predecessor to Netscape, was developing an e-commerce application for MCI (one of its clients) that required a virtual shopping cart. He invented cookies because we were verifying that users had visited the site before and remembering their preferences.
Reports that cookies could infringe privacy began to appear in the news, but despite public concerns, it was not until 2011 that the European Union enacted legislation ensuring that websites obtain explicit consent from users before using cookies.
Unauthorized tracking without cookie consent
In this new case study, a global retail client attempting to continuously monitor different user journeys on its website discovered that 37 domains were injecting cookies without appropriate user consent. The retail company’s traditional security tools remained blind to the issue due to the limitations of the organization’s VPN, which limited visibility. Additionally, malicious and misconfigured cookies are injected into iFrame elements, creating challenges for effective monitoring of standard security controls such as WAFs. Download the full case study here.
Customer Problem: Blinded by VPN
Although the retailer’s platform had other security solutions in place, it turned a blind eye to the problem: cookie tracking was being done on 37 of its websites without the visitor’s explicit consent. This happens via iFrames (used to embed content from one website into another) that are obscured by the VPN. This masks their activity and makes cookie consent issues invisible to other security solutions.
While this is a damaging oversight, at least the data wasn’t sent to malicious actors. Instead, Reflectiz found that it was going to legitimate third-party ad services.
The high cost of non-compliance
For companies with customers in the EU, GDPR applies, and violations of their cookie consent rules are classified as Level 2 violations. Under this regulation, businesses that fail to obtain valid cookie consent may be fined up to 4% of their global annual turnover or €20 million ($21.94 million), whichever is greater. This is why being able to track the behavior of every asset connected to your website is so important, and why Reflectiz becomes a savior in this situation.
solution
Reflectiz sees things that other solutions don’t. It identified 37 domains that were using cookies without consent, discovered where the data was being delivered (in this case, legitimate advertisers), and empowered retailers to resolve the issue before it escalated.
The Reflectiz platform provides companies in retail, financial, healthcare and other industries with the insights they need to maintain compliance with data protection standards and avoid similar incidents that can result in fines, litigation and reputational damage. It’s executed remotely so there’s little impact on performance, and the intuitive interface means employee onboarding is quick.
focus
- Agree to supervise: The platform fails to detect and notify users of certain cookies that are injected without appropriate consent, and the website lacks a consent box.
- VPN secrets revealed: Monitoring by Reflectiz exposed 37 domains that were injecting cookies without user approval, tracing back to where they were originally hidden by the organization’s VPN.
- Leakage of third-party data: Compromised data reaches external domains via unauthorized cookie injection triggered by specific user journeys.
- Unnoticed iFrame tracking: Unmonitored iFrame activity tracks user data without consent, resulting in privacy violations.
- Incorrectly set cookie threats: Misconfigured cookies contribute to privacy leaks and pose a major threat to user privacy.
- Communication breakdown course: Improving interdepartmental communication, especially between security and marketing, is critical to preventing issues related to third-party code implementation.
- Continuous monitoring is critical: This case highlights the urgent need for ongoing monitoring and vigilance in the evolving online privacy landscape to maintain user trust and comply with data protection regulations.
For more background and in-depth analysis, you can download the full case study here.
