Guest Columns
4 mins read

What the British Airways fine can teach publishers about online security

plane wing in the sky

Opinion

British Airways’ (BA) £183 million fine signals more than a definite end to the GDPR grace period; it illustrates the high price companies could now pay for poor data security.

So far, the Information Commissioner’s Office (ICO) has remained quiet while other global forces wielded their regulatory powers, issuing €56 million in penalties. But its huge debut fines — including a £99.2 million forfeit for Marriott hotels — show the ICO is closing in on any business that fails to protect its customer data from both clear and hidden threats.

Fuelled by malicious JavaScript, the BA attack wasn’t run of the mill; with third-party tags smuggled onto its website that stole 429,000 customers’ data. As cyber criminals become more advanced, organisations must keep a closer watch over their online assets.

So, what must publishers learn from this colossal breach about enhancing site safety?

Lifting the lid on hacker tactics

Fighting unseen assailants is challenging, but as clandestine site hacks increase it’s vital for publishers to enhance their knowledge of what attacks involve and how to tackle them. And the best starting point is an understanding of the mechanics behind digital content creation.

For today’s coders, constructing websites calls for a mix of HTML5 and JavaScript. Static page elements are built with HTML and when sophisticated functions such as animations are needed, they use JavaScript — often by accessing libraries of code. To keep the user experience streamlined, pages aren’t usually pre-loaded with all the code from JavaScript libraries. Instead, code is retrieved via a file from a Content Delivery Network (CDN) as pages are loaded in the user’s browser. In short, code runs when it’s required.

This browser-based approach is the current norm, used to fuel most site content, as well as marketing and advertising integrations; from analytics tools to social media engines and retargeting platforms. But it has a crucial flaw. Opening the door to JavaScript from remote servers can also bring uninvited and undetected extra guests to sites: code from unknown third parties. These gatecrashing tags can call more potentially hazardous code, and so on; creating a tangled web that — without a specialist tracker programme in place — is hard to track or predict, if businesses know it’s there at all.

The dangers of concealed tags

This form of cloaked hack is precisely what happened to BA. Using an intricate network of JavaScript files, hackers loaded a customised version of a frequently used library, with hidden additional functions. Active on the company’s payment pages, the code looked and acted legitimate  — allowing payments to go through as normal — but it also recorded and sent each customer’s name, address, credit card details, and login to the hackers.

From the publisher perspective, there are two key lessons from this attack. Firstly, following the GDPR rules is more complex than simply asking for consent and protecting servers from infiltration. Businesses have must ensure end-user data is safeguarded, which means they are responsible for the code running on their site and any subsequent negative impact, even if it is stealthily loaded by cyber criminals. Secondly, the risk of such hidden hazards is high.

According to Ofcom’s recent Online Nation report, tag adoption is widespread. Evaluating how behaviour is monitored across multiple popular sites, such as BBC, Microsoft, Google and Sky platforms, the results reveal tags are a clear leader — especially for news sites, with an average of 77 in operation at once. Not only reflective of an industry increasingly reliant on behavioural advertising to drive revenues, these findings highlight that publishers are particularly prone to the rising peril of tag-centric cyber crime.  

What can publishers do?

To reduce the risk of malicious tags, and hefty GDPR fines, more robust defences are essential. For starters, publishers must require complete oversight of code running on their sites, whether it originates from their own servers or not. The days when a brief check of code produced by developers was sufficient to catch threats are long gone; publishers must obtain a detailed and consistent view of all JavaScript code — at least weekly, if not daily.  

Vital to achieving this is frequent and precise analysis. The most advanced tools, for instance, are capable of running instant URL scans that not only track any tags running on a particular page, but also the actions code executes in user browsers. Armed with this real-time insight, publisher IT and development teams can immediately spot potential risks — such as unknown sources, hidden tags, and code running suspicious scripts — which can then be investigated to prevent potential breaches before they occur.

Going forward, the industry needs a change in mindset. At present, tighter privacy and security measures are frequently seen as necessary nuisances. But treating customer data well is also critical to business success. In the post-GDPR world, consumers are becoming equally as discerning as data authorities.

Publishers must learn that the price of ignoring data safety responsibilities goes beyond fines; it also covers consumer trust and experience. By building digital experiences, they are facilitating the data collation and interactions that consumers now expect to be both private and safe. Consequently, privacy protection should be integral to each aspect of consumer experience, from design to daily visits. If publishers want to earn a loyal following and retain trust, keeping sites engaging, efficient, and crime-free is essential.

Gabe Morazan, Director of Product, Digital Governance, CIPP/E, Crownpeak

About: Crownpeak provides the leading, enterprise-grade, cloud-first Digital Experience Management (DXM) platform. The Crownpeak DXM platform empowers Fortune 2000 companies to quickly and easily create, deploy, and optimize customer experiences across global digital touchpoints at scale. Besides featuring content management, personalization, search, and experience delivery services, it is the only digital experience platform that includes built-in Digital Quality Management (DQM) to ensure brand integrity, best practices, and web accessibility compliance.

Photo by Ken Yam on Unsplash

Related posts

What's New In Publishing articles suggested by Bibblio
Helping publishers increase engagement, improve monetization and drive new audiences. Read more