In an analysis of over 3,000 websites and over 100,000 associated webpages (using the client-side security scanning feature of Feroot Inspector) found pixels/trackers on 95% of their websites. Each website in the study corresponds to an unique organization (company, non-profit, or government agency). The high 95% reflects the extent of data harvesting that is done by marketing, advertising, and performance platforms today.
Of particular concern, the analysis discovered that pixels/trackers are on webpages where they really don’t belong and are truly not needed – specifically, webpages performing mission-critical webpages where sensitive personal information entered by a website visitor can easily be collected and transferred. Mission-critical webpages include those performing functions such as login, account creation, registration, credit card processing, etc. Capturing and transferring user data on these pages, for even legitimate advertising, is unnecessary and creates undesirable risks.
Figure 1: Websites With Pixels/Trackers On Mission Critical Webpages In Order Of Greatest Risk Exposure
Figure 1 above shows the degree to which pixels/trackers are present on webpages that are performing login and registration functions are actually reading IAM (identity and access management) and/or PII (personal identity information) from user input fields into data fields of the pixels/trackers (ordered most to least) all of which translates to increased risks. Ideally, the number of such instances should be 0 for a company’s mission-critical web pages so as to eliminate the possibility of pixels/trackers collecting and transferring privacy and/or sensitive user data.
The analysis found these pixels/trackers including ones from ByteDance/TikTok, Meta/Facebook, Google, Microsoft, and many others and Table 2 below shows degree for some.
Data transfers particularly from mission-critical webpages can constitute violations of a number of regulations and standards for IAM (identity access management) and/or PII (personal identifiable information) these include:
- GDPR: fines up to €10 million based on the severity of the infringement (which also applies to US data controllers to companies providing services to EU customers or US companies delivering to EU customers directly)
- CCPA: $2,500 for each violation or $7,500 if intentional for companies doing business in California (and likewise for other states that have enacted similar laws)
- PCI DSS: fined $5,000 to $100,000 per month depending on the duration and scope of your non-compliance
The average cost of a breach for organizations with high levels of compliance failures was $5.57m according to IBM’s 2022 Cost Of Data Breach Report. In the event where the collected and transferred data are user credentials, there is the additional risk of intrusions and then further attacks conducted from the inside. According to the Verizon 2022 Data Breach Investigations Report (DBIR), the use of stolen credentials accounted for 67% of web application intrusions and 42% of system intrusions. In addition, the DBIR reported that web applications account for 56% of attacks on assets.
In addition to penalties and fines, cyber instances can also result in costs for reputation and brand damage and thereby revenue loss from loss of existing customers and potential new customers.
Interested in learning more about pixels/trackers and the risks associated with them?
Download our latest report today.