Web developers rely on third-party code and open-source libraries to quickly add functionalities to their site. In fact, over 99% of websites use third-party code in the form of social sharing buttons, advertising iframes, payment iframes, chatbots, analytics scripts and A/B testing scripts to create frictionless experiences for their users.

In order to function, third-party code must be granted access to your apps and data, including the power to modify, remove and create alternative site assets — and cybercriminals know it. They target vulnerabilities in this code to carry out digital skimming, PII harvesting and other client-side supply chain attacks.

Third-party Problems

If a cybercriminal conducts a successful supply chain attack against your site, the consequences for the business can be severe.

1. Regulatory Fines

Data privacy regulations — including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the California Privacy Act (CPRA) — hold online businesses accountable for safeguarding consumer data. The CPRA specifically provisions that digital businesses that expose the data of California residents will face possible fines of $7500 for each intentional violation of user privacy and $2500 per violation for those that are deemed unintentional.

Governments are serious about enforcing such legislation. British Airways was fined $229 million for a magecart attack that harvested personal and card information from over 400,000 British Airways customers.

2. Lawsuits

Unsurprisingly, consumers don’t like it when their personal information is exposed. Users might file lawsuits against companies that leave them vulnerable to identity theft, and brands are liable for any data breach on their site — even if the cause was an attack on a third-party library. U.S. retailer Hanna Anderson paid $400,000 to settle a class action lawsuit following a Magecart attack on their website.

3. Damage to Reputation

Consumers are more (Read more...)