TikTok Pixel Privacy Nightmare: A New Case Study

Cyber Security

Nov 14, 2024The Hacker NewsData Privacy / Compliance

Advertising on TikTok is the obvious choice for any company trying to reach a young market, and especially so if it happens to be a travel company, with 44% of American Gen Zs saying they use the platform to plan their vacations. But one online travel marketplace targeting young holidaymakers with ads on the popular video-sharing platform broke GDPR rules when a third-party partner misconfigured a TikTok pixel on one of its regional sites. An intriguing new case study reveals how the cyber security company that discovered the problem stopped a data breach from becoming a costly flood.

For the full case study, click here.

Dangers Close to Home

Cyberattacks often make the headlines because hacking is a natural attention-grabber. The groups behind the attacks seem like modern-day highwaymen, shadowy figures who can rob countless victims from behind a mask of anonymity. Faceless criminals like these will always grab readers’ attention, and while this is understandable, we’d do well to pay attention to some of the less dramatic security risks that can be just as damaging.

It’s been said that if news outlets focused on reporting the biggest threats to our lives, then every story would cover heart disease and how to prevent it, because it kills many times more people than events like wars and car crashes. It’s the same with cyber threats. While big hacks make us sit up and take note, many breaches are caused by simple, mundane failures of ‘housekeeping’, and that’s what happened to the company featured in this new downloadable case study.

What Happened?

While we’re not going to name the global travel marketplace involved (to spare it any embarrassment), the cybersecurity company that caught the problem is called Reflectiz. Its main product is a platform with some innovative monitoring technology that presents its findings in a clear, intuitive dashboard. Under the hood it scans websites using a proprietary browser that mimics user behavior. It maps every third-party web app or code snippet that’s connected with the site, including objects embedded in iFrames, so if any code acts suspiciously or sends data somewhere that it shouldn’t, Reflectiz notices and alerts the user.

The case study details how one of its scans revealed a misconfigured TikTok pixel. TikTok has 1.6 billion users, so you’ve probably heard the name. If you haven’t, it’s a video sharing social media platform based in China that’s wildly popular amongst young people. When the travel company started using Reflectiz, it found that the pixel was collecting and sending sensitive user data to TikTok’s Chinese servers without their permission, because it hadn’t been implemented correctly.

While it doesn’t look like there was any malicious intent in this case, the big takeaway for companies of any size should be that it doesn’t change the outcome. Online businesses that release customer data without the express permission of users will still be in breach of data privacy regulations like GDPR and the regulator may see fit to sanction them.

For the full case study, click here.

The Cost of Non-Compliance

Non-compliance with GDPR (the General Data Protection Regulation) can lead to significant penalties:

  • Fines: up to €20 million or 4% of annual global turnover, whichever is higher. The exact amount depends on the nature of the violation and the organization’s size.
  • Reputational Damage: non-compliance can harm an organization’s reputation, causing loss of customer trust and potential business opportunities.
  • Orders to Cease Processing: regulatory authorities can order the company to stop processing personal data, which can disrupt business operations.
  • Compensation Claims: individuals affected by the breach may file claims for damages.
  • Increased Scrutiny: non-compliant organizations may face more attention from regulators and could be subject to audits.
  • Legal Costs: defending against claims or fines can incur significant legal expenses.

While that can all sound a bit hypothetical, regulators have been taking action. In one recent example, from June 2024, the Swedish Data Protection Agency (IMY) fined an online pharmacy 15 million Swedish kronor (approximately $1.45 million) for improperly using the Facebook Pixel. The pharmacy activated Facebook Pixel’s Automatic Advanced Matching (AAM) and Automatic Events (AE) features “by mistake,” which resulted in the transfer of sensitive personal data to Facebook/Meta. This inadvertent breach affected between 500,000 and a million individuals from 2019 to 2021.

For the full case study, click here.

The Solution

While we don’t know the exact scale of the breach in the travel company case study, we do know that Reflectiz caught the TikTok misconfiguration before it could do more damage, likely saving the company a fortune in fines and reputation loss.

Despite being so powerful, Reflectiz does not require installation. There is just a straightforward onboarding process that begins with a remote scan to map the entire web ecosystem. After that it continuously monitors all sensitive webpages and will detect and flag any suspicious activity by any web component.

The solution can identify third-party web components that track customers’ activities without their consent, including attempts to capture their geographical locations, or to use their cameras and microphones without consent. With so much at stake, no company can afford to risk being caught out by something as avoidable as a tracking pixel misconfiguration.

For the full story on this cautionary tale, download the full case study here.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.