Carding 4 Carders
Professional
- Messages
- 2,730
- Reaction score
- 1,468
- Points
- 113
The story of a clinic that forgot that there was a little spy lurking in its website.
One of the largest European clinics narrowly avoided a multimillion-dollar fine due to one small pixel and inattention of IT specialists.
A few years ago, a large international network of medical clinics ran an advertising campaign and installed a special tracking pixel on the site to track its effectiveness. This is a fairly common practice among marketers and advertisers. The pixel captures the activity of potential customers on the site and transmits the data to promotion specialists for analysis and development of new strategies.
After the campaign was completed, the pixel was forgotten and not deleted. And it continued to quietly intercept the personal information of site visitors: names, phone numbers, even confidential health data from doctor's appointments.
This was a gross violation of the GDPR (General Data Protection Regulation — regulation of the European Union) and other privacy standards. According to European laws, the organization faced a fine of up to 4% of its annual revenue. And according to the laws of some American states, for example, California, up to $7,500 for each leaked medical card.
Given the fact that the organization is very large, we could talk about tens of millions of dollars. In addition, the clinic's reputation would suffer irreparably.
Thanks to chance, a financial catastrophe was avoided. Reflectiz, a developer of solutions for protecting web resources, discovered an error during a routine check of the clinic's website.
The Reflectiz, ScannAR tool scans web resources for anomalies. In this case, it worked as it should — it recognized the threat and sent an alert to the administrators. The pixel was deleted in time.
Recently, Reflectiz specialists released a study describing the problem. One of the main phenomena that affects the work is "configuration drift".
Configuration drift occurs when the current state of the site deviates more and more from the original state over time. This happens for many reasons: manual code changes, software updates, and human factors.
Drift introduces inconsistencies and vulnerabilities in the operation of web resources. It is quite difficult to ensure reliable data protection in such conditions.
To combat this problem, companies implement special tools for monitoring systems that help them find errors and deviations from secure settings in a timely manner.
The study mentions two other important points.
The first is non-compliance with the requirements of PCI DSS v4. 0 (Payment Card Industry Data Security Standard), which regulate the protection of payment data on online store sites.
The second is violations of HIPAA health regulations that protect confidential medical information. This once again highlights the seriousness of the mistake made by the staff of the aforementioned clinic, who ignored the problem for 4 whole years.
Configuration errors cause not only leaks, but also serious financial risks for all companies due to non-compliance with industry standards.
One of the largest European clinics narrowly avoided a multimillion-dollar fine due to one small pixel and inattention of IT specialists.
A few years ago, a large international network of medical clinics ran an advertising campaign and installed a special tracking pixel on the site to track its effectiveness. This is a fairly common practice among marketers and advertisers. The pixel captures the activity of potential customers on the site and transmits the data to promotion specialists for analysis and development of new strategies.
After the campaign was completed, the pixel was forgotten and not deleted. And it continued to quietly intercept the personal information of site visitors: names, phone numbers, even confidential health data from doctor's appointments.
This was a gross violation of the GDPR (General Data Protection Regulation — regulation of the European Union) and other privacy standards. According to European laws, the organization faced a fine of up to 4% of its annual revenue. And according to the laws of some American states, for example, California, up to $7,500 for each leaked medical card.
Given the fact that the organization is very large, we could talk about tens of millions of dollars. In addition, the clinic's reputation would suffer irreparably.
Thanks to chance, a financial catastrophe was avoided. Reflectiz, a developer of solutions for protecting web resources, discovered an error during a routine check of the clinic's website.
The Reflectiz, ScannAR tool scans web resources for anomalies. In this case, it worked as it should — it recognized the threat and sent an alert to the administrators. The pixel was deleted in time.
Recently, Reflectiz specialists released a study describing the problem. One of the main phenomena that affects the work is "configuration drift".
Configuration drift occurs when the current state of the site deviates more and more from the original state over time. This happens for many reasons: manual code changes, software updates, and human factors.
Drift introduces inconsistencies and vulnerabilities in the operation of web resources. It is quite difficult to ensure reliable data protection in such conditions.
To combat this problem, companies implement special tools for monitoring systems that help them find errors and deviations from secure settings in a timely manner.
The study mentions two other important points.
The first is non-compliance with the requirements of PCI DSS v4. 0 (Payment Card Industry Data Security Standard), which regulate the protection of payment data on online store sites.
The second is violations of HIPAA health regulations that protect confidential medical information. This once again highlights the seriousness of the mistake made by the staff of the aforementioned clinic, who ignored the problem for 4 whole years.
Configuration errors cause not only leaks, but also serious financial risks for all companies due to non-compliance with industry standards.
