The privacy and protection of personal information are essential rights for individuals in today’s era of digital, online communication. The internet and widespread use of digital technology has transformed the way we communicate, work and socialize. However, they have also created new challenges for privacy and personal data protection.
Individuals continuously generate data, and much of it is about themselves and can be accessed by businesses and government entities. However, there is also the looming threat of unauthorized access to personal information by malicious actors looking to illegally take advantage of it for their own gain. Many solutions attempt to protect the data by protecting the server side, but in recent years malicious parties are able to bypass this protection using attacks on the client side.
The Growth of Client-Side Attacks
Infecting software packages and updates with malware or other malicious code is what threat actors use to compromise the software supply chain and exploit data. It’s particularly troubling because it’s done in a way that’s transparent to the user or web application owner. Companies must take steps to ensure personal information, such as their name, address, phone number, email and social security number — as well as sensitive information like financial data and health records — are kept safe from malicious actors. Also, client-side security is critically important for protecting entire data transmissions, from client to server.
By prioritizing privacy and data protection, companies build trust with their users and minimize the risk of data breaches or privacy violations. Keep in mind that these types of breaches often lead to lawsuits filed by affected customers, even if the damage didn’t occur on the company’s server side. Here are 5 key reasons why client-side protection is critically important.
5 Reasons Why Client-Side Protection Must be Prioritized
1. It protects sensitive data
It’s important to understand the risks and responsibilities of protecting personal data. In addition to the legal liability, owners have an ethical obligation to safeguard user privacy and security.
The practice of injecting malicious scripts into websites and 3rd party services is an attack vector that effectively allows bad actors to acquire sensitive information and sell it to cyber criminals. For example, and as reported in The Hacker News, in July 2022 an e-skimming code was injected via 3 restaurant ordering platforms — MenuDrive, Harbortouch and InTouchPOS. As a result, 311 restaurant websites were attacked and data from 50,000 payment cards was later found on the dark web.
The following image illustrates that the personal data was leaked to a spoofed card processing domain — http://authorizen.net/. The ‘n’ was added to impersonate a legitimate card processing company’s domain — http://authorize.net/.
2. Uncovers 3rd party activity(ies) and provides needed visibility
In addition to the risk of leaking sensitive data through 3rd party integrations, many companies are unaware that they, too, use 3rd party services. As you can imagine, this creates a complex web of data sharing and dependencies that can be difficult to manage and secure. This is exactly why companies have to carefully monitor all services used in their applications and select trusted and reputable sources. Make sure any 3rd party service providers regularly review their data privacy policies to comply with their responsibility to ensure private data is used appropriately. If the owner does not have a clear understanding of the data being sent to 3rd parties, they may not be able to properly and successfully meet this responsibility.
The Markup recently reported that a tracking tool installed on many hospital websites collected collecting patients’ sensitive health information, including details about their medical conditions, prescriptions and doctor’s appointments. The information was then sent to Facebook. It was only after the report was published that the Meta Pixel was removed from some of these websites.
Monitoring data shared with 3rd parties is a basic requirement of most information security frameworks (NIST, ISO 27001, CIS) and data regulations (GDPR, CCPA, PCI-DSS, HIPAA). Failure to adhere to security standards that may result in data breaches can lead to organizations being fined by industry regulators, facing penalties and getting pulled into unwanted legal disputes.
By increasing awareness of client-side privacy violations and attacks, and proactively implementing measures to prevent them, organizations can better meet these compliance standards and avoid costly penalties and legal consequences.
3. Helps to avoid damage to a company’s brand and reputation
News of data breaches spread quickly through social media channels, where people often share their negative experiences and opinions. This damages companies’ reputations and can adversely affect potential customers, existing clients and key stakeholders. All make it even more difficult to recover from a breach.
Loss of trust will assuredly result in a significant loss of business. Customers don’t do business with companies they don’t trust. They take their business elsewhere. The impact to a company’s revenue can be devastating.
One of the most well-known examples of a client-side breach involved one that affected British Airways in 2018. In the attack, hackers installed malicious code on the British Airways website. It allowed them to steal payment information from customers who made bookings online. The attack affected approximately 400,000 customers and lasted several weeks. As a result of the attack, British Airways faced significant reputational damage; customers lost trust in the airline’s ability to protect their personal and financial information. Also, British Airways was fined £20 million by the Information Commissioner’s Office (ICO), the United Kingdom’s data protection regulator, for failing to adequately protect customers’ data.
The breach and resultant reputational damage led to a precipitous drop in British Airways’ share price and a significant loss of revenue.
4. Helps to stay up to date on new threats
The threat landscape for client-side attacks is constantly evolving. As we speak, cybercriminals are searching through codebases and scripts to identify weaknesses and focus their attacks on organizations that use them. They’re innovative and quickly adapt to exploit the weakest points of a system. These days, the easiest point of entry is often through client-side applications or browser-based attacks. Both pose tremendous challenges for organizations needing to identify and manage them.
This past January, it was reported that the Liquor Control Board of Ontario (LCBO) website was hacked (it’s Canada’s largest alcohol-related site). The attacker injected malicious code with the checkout page and integrated it as a legitimate Google Analytics tag (see below). This made it difficult for web application developers and security experts to see the malicious code and detect threats. The attackers gathered personal data that customers had previously provided.
During the investigation following the incident, it was discovered that the script was active on its website for 5 days, and went unnoticed!
By adopting a comprehensive and holistic approach to defend against client-side attacks, organizations will stay up to date on the latest security measures that defend against these attacks while strengthening their overall cybersecurity posture.
Just remember that when evaluating security vendors, make sure you select one that delivers comprehensive, client-side security. Ask probing questions about how they do it and you’ll get a good idea about the importance they place on it. If their answers don’t feel satisfying, they probably don’t have the solution you need.
5. Educate teams and improve incident response time(s)
Employees are often the first line of defense against client-side attacks, so prioritizing their education will help them identify and report potential threats. Organizations must create a culture of security awareness and invest in employee education. An ongoing commitment to educate employees means they will be able to respond to security incidents and minimize damage and the disruption of business operations.
Client-Side Protection — Getting More Important Every Day
In today’s digital world, privacy and personal data protection are critical rights. It’s important for individuals, businesses and governments to work together to safeguard these rights and help ensure everyone can enjoy the benefits of the digital age.
Take advantage of a free trial of Radware’s client-side protection solution by clicking here. You’ll be thankful you did.
If you’ll be attending the RSA Conference in San Francisco on April 24-27, make sure and stop by the Radware booth (#2139). Meet with our team of experts and take your cybersecurity to the next level. Better yet, you can set up an appointment with them here.