Wake Up and Smell the JavaScript

The SolarWinds attack showed the true meaning of a supply chain breach. And it's the canary in the coal mine for sensitive data on the Web.

Deepika Gajaria, VP of Products, Tala Security

April 12, 2021

3 Min Read
Dark Reading logo in a gray background | Dark Reading

Even before the pandemic hit and everyone flocked online, companies were investing significant time and resources in building great online experiences for their users. But all that usability comes with a price tag in terms of risk. Today's websites are essentially a conglomeration of Web-enabled assets, a massive global supply chain that nobody really thinks about in this way. And that's a big data-privacy problem that's about to get a lot bigger.

What do all these connected parts have in common? JavaScript. "Write once, run everywhere" has been the backbone of today's rich Web — but that portability has massive implications for both data security and data privacy. Magecart is driving awareness of the security aspects, but many businesses seem unaware of the growing privacy implications of uncontrolled data sharing by trusted Web applications. The Web has largely been ignored when it comes to understanding data-privacy risks. Enterprises take care of the data in their databases and how they store customers' and other sensitive data, but more often than not, the Web is where data is invoked.

What happens when the same applications and integrations that deliver rich user experience and insights share that sensitive information with third, fourth, or fifth parties outside your organization's control? You can get an idea by looking at dating site Grindr and a pending €10 million fine for sharing user data with advertising companies without the consent required under the General Data Protection Regulation (GDPR).

Are website owners really doing enough to protect users and understand these emerging risks?

Start Caring About Oversharing
Forms found on 92% of websites expose data to an average of 17 domains — climbing to 20 if you happen to be a top mobile service provider in the European Union, where (depending on the country) passport scans and copies of pay slips are among the documentation requested to sign a contract. That's a lot of oversharing. And what about the multiple trusted applications on your site — Google Ads, chatbots, etc.? While many of these applications are set to collect data, many organizations aren't aware of the exact kind or extent of the data they're collecting.

Can you genuinely claim to know exactly where all this data is flowing? Do you know:

  • Which vendor has access to what sensitive data?

  • Which vendor reads sensitive data?

  • Which vendor shares sensitive data with other vendors?

Because if you don't, you should. Regulations, including GDPR and the California Consumer Privacy Act (CCPA), require enterprises to be aware of where sensitive data is flowing, as well as the purpose of these data flows.

Why It Matters
Unintentional data exposure is a significant, unaddressed problem for most of the world's website owners. When we fail to secure data as it's entered into websites, we're effectively leaving it hanging: the only reason it's not being stolen is that criminals haven't taken it. Yet.

Equally, when we overlook the need to understand how trusted applications share data, we run the risk of simply giving it away — without our users' consent.

Everyone talks about security in depth, security beyond the perimeter, and data privacy. It's time to focus on the place where those things intersect: the browser.

About the Author

Deepika Gajaria

VP of Products, Tala Security

Deepika Gajaria is Tala's VP of Products. An experienced product leader and technologist, Deepika is responsible for product strategy and delivery at Tala. Working closely with customers, she drives product direction and shapes the product roadmap to address their core needs.

Prior to Tala, Deepika was part of Cisco Jasper, where she led the launch of IoT smart city applications. Her career in product management began at EMC in the new product introduction team, working on key initiatives across the Storage and Data Protection divisions.

Deepika has held diverse roles in her career: Her first job out of school was in the research and development of high-voltage particle accelerator technology used in cancer therapy machines. Deepika is a Longhorn, holding undergraduate and graduate degrees from the University of Texas at Austin in Natural Sciences and the McCombs School of Business.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights