Advertising on TikTok is an obvious choice for any company trying to reach a younger market, especially if it’s a travel company: 44% of Gen Z Americans say they use the platform to plan vacations. But one online travel site targeting young vacationers with ads on the popular video-sharing platform broke GDPR rules when a third-party partner misconfigured the TikTok pixel on one of its regional sites. Intriguing a new case study shows how the cybersecurity company that discovered the problem prevented a data breach from turning into a costly flood.
For a complete case study, click here.
Dangers close to home
Cyber attacks often make headlines because hacking is a natural attention grabber. The groups behind the attacks look like modern-day thugs, shadowy figures who can prey on countless victims behind a mask of anonymity. Such faceless criminals will always attract readers’ attention, and while that’s understandable, we’d do well to draw attention to some of the less dramatic security risks that can be just as damaging.
It has been said that if the news outlets focused on reporting on the biggest threats to our lives, every story would cover heart disease and how to prevent it, because it kills many times more people than events like wars and car crashes. It’s the same with cyber threats. While major hacks make us sit up and take notice, many breaches are caused by simple, routine “housekeeping” glitches, and that’s what happened to the company featured in this new downloadable case study.
What happened?
While we’re not going to name the global travel market (to save it embarrassment), the cybersecurity company that discovered the problem is called Reflectiz. Its flagship product is a platform with innovative monitoring technology that presents its findings in a clear, intuitive dashboard. Under the hood, it scans websites using a proprietary browser which simulates user behavior. It displays all third-party web applications or code snippets associated with the site, including objects embedded in personnelso if any code is acting suspiciously or sending data somewhere it shouldn’t, Reflectiz notices and alerts the user.
A case study details how one of the scans revealed a misconfigured TikTok pixel. TikTok has 1.6 billion users, so you’ve probably heard the name. If you haven’t, it’s a video sharing social media platform based in China that’s wildly popular among the youth. When the travel company started using Reflectiz, it discovered that the pixel was collecting and sending users’ sensitive data to TikTok’s Chinese servers without their permission because it was not implemented correctly.
While it doesn’t seem like there’s any malicious intent in this case, the bottom line for companies of all sizes should be that it doesn’t change the bottom line. Online companies that release customer data without users’ permission will still be in violation data privacy regulations like GDPR and the regulator may see fit to authorize them.
For a complete case study, click here.
The cost of non-compliance
Inconsistency with GDPR (General Data Protection Regulation) can lead to significant fines:
- Penalties: up to €20 million or 4% of annual global turnover, whichever is greater. The exact amount depends on the nature of the violation and the size of the organization.
- Damage to reputation: non-compliance can damage an organization’s reputation, causing loss of customer trust and potential business opportunities.
- Stop processing orders: regulators may order a company to stop processing personal data, which could disrupt business operations.
- Claims for compensation: individuals affected by the violation may file claims for damages.
- Enhanced control: Organizations that do not comply may face increased regulatory scrutiny and audits.
- Legal fees: defending against lawsuits or fines can result in significant legal costs.
While this may all seem a bit hypothetical, regulators are taking action. U one recent examplefrom June 2024, the Swedish Data Protection Agency (IMY) fined an online pharmacy SEK 15 million (approximately $1.45 million) for improper use of the Facebook Pixel. A pharmacy “mistakenly” activated Facebook Pixel’s Automatic Advanced Matching (AAM) and Automatic Events (AE) features, resulting in the transmission of sensitive personal data to Facebook/Meta. Between 500,000 and one million people were affected by this inadvertent breach between 2019 and 2021.
For a complete case study, click here.
The solution
While we don’t know the exact extent of the breach in the travel company’s investigation, we do know that Reflectiz caught TikTok’s misconfiguration before it could do more damage, likely saving the company a fortune in fines and reputational damage.
Despite this power, Reflectiz does not require installation. There is just a simple onboarding process that starts with a remote scan to map the entire web ecosystem. After that, it constantly monitors all confidential web pages and detects and flags any suspicious activity of any web component.
The solution can identify third-party web components that track customers’ activities without their consent, including attempts to capture their geographic location or use their cameras and microphones without their consent. With so much at stake, no company can afford to risk being caught out by something as avoidable as misconfiguring a tracking pixel.
For the full story of this instructive story, download it in its entirety case study here.