Data Leakage Prevention Policies: Seal your Security Perimeter

Cybercriminals work tirelessly to compromise sensitive data by manipulating technology to commit malicious activities against digital systems or networks – and it’s up to their intended targets to defend against these sophisticated attacks. But sometimes these online fraudsters barely need to lift a finger because of a threat that gives them what they want on a plate: data leakage, bringing prevention into the spotlight for businesses.
 

Understanding data leakage prevention

This unauthorized transmission of sensitive data from within a company to an external recipient or destination typically occurs via the web and email. Typical examples include an employee sending a message to the wrong recipients, flaws in security policies, and unpatched vulnerabilities in software. 

It can also happen when mobile data storage devices such as USB keys and laptops are left unattended or when a disgruntled employee leaks confidential information to attract outside attention. Whether the leakage is accidental or intentional, the consequences can be crippling.

1. Reputational damage

After filling out an online form on a business’s website, a data leak containing personal information can break a customer's trust, erode their loyalty, and create a negative perception of the brand.

2. Financial cost

This can vary depending on the type and extent of the leak, but typically includes reactive steps to contain the breach, implementing new security measures, investigating the leak, and compensating those affected.

3. Regulatory compliance

Increasingly robust data protection regulations legally require organizations to take appropriate steps to mitigate data leaks. Failure to comply can result in legal action, significant financial penalties, and reputational damage.

Data leakage examples

1. Volkswagen Group of America

From August 2019 to May 2021, a data leak exposed personal information of around 3.3 million Volkswagen customers, including driver’s license numbers and social insurance numbers.  Malicious actors exploited a third-party vendor to obtain the data after Volkswagen had failed to secure this database. 

2. Capita

In May 2023, Capita, a group that operates services for the NHS, councils, and military in the UK, leaked personal and financial data into the public domain. The incident was caused by an exposed Amazon S3 bucket – a cloud storage misconfiguration that left sensitive files publicly accessible. This primarily impacted local councils, exposing constituents' benefits data, including Personal Independence Payments (PIP) details. The company’s shares fell by more than 12% in the wake of the leak.

3. Infinity Insurance

In December 2020, malicious actors temporarily achieved unauthorized access to files on Infinity Insurance’s servers for two days. This exposed the personal information of customers and existing and former employees, including millions of driver’s license numbers and social security numbers.

How to prevent data leakage

The adage "prevention is better than a cure" rings true in the context of tackling data leakages. Taking steps to permanently plug gaps in your business’s physical and digital security perimeter before a leakage occurs will prevent it from happening in the first place. Conversely, a reactive approach that attempts to stop a leak after it has started will leave you exposed.

A proactive approach to data leak management requires the implementation of focused strategies that are specifically designed to prevent this pervasive threat, including:

1. Achieving comprehensive coverage of website data

To achieve visibility and respond to a data leak expeditiously, you should monitor every script's activity in real-time to determine its misbehaviors. This can be reinforced by creating a detailed inventory of each code’s output, its destination, and when it’s sent.
 

2. Reinforcing the source code

Gain control of third-party script activities on your website by combining innovative runtime protection and obfuscation capacities or actions that can mitigate data loss, as endorsed by the National Institute of Standards and Technology (NIST) and the Open Web Application Security Project (OWASP). With the suspicious code blocked, data leakages are prevented.

3. Implementing robust policies

Oversight measures can help you structure how data is transacted. This includes implementing robust data leakage prevention policies that require third parties to comply with agreed data protection standards. These essential components of a cybersecurity strategy help reduce the risk of financial loss, reputational damage, and legal consequences resulting from a data leak.

Data leakage prevention tools 

Jscrambler’s data leakage prevention tool is designed to underpin this proactive approach. It helps you understand your level of risk by gathering data and providing information about which vendors and scripts are running on your website and what data they are touching in every user session.

This essential process is performed across three key stages:

• Monitoring: Continuously gathers information on all user sessions and attributes levels of risk to each vendor based on its behavior.

• Risk mitigation: Provides visibility and control over the sensitive data being inserted on web forms and which vendors are accessing and transferring sensitive data from your website – allowing you to block unauthorized access.

• Script control: Provides precise control over all first and third-party script behavior by enforcing comprehensive data access rules, allowing you to block unauthorized behaviors, including data transfers to external domains.

Another critical element of data leak management has been amplified by a recent update to its provisions: PCI DSS (Payment Card Industry Data Security Standard) compliance—a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

PCI DSS compliance

The fourth iteration of the PCI DSS aims to meet the evolving security needs of the payment industry, promote security as a continuous process, increase flexibility, and improve procedures for organizations to achieve their security goals. The new PCI DSS v4 requirements, which focus on managing payment page scripts – notably JavaScript – can be used to address data leakage risks with other cybersecurity standards and regulations, such as HIPAA.

JavaScript, which runs on all major browsers, is the building block of nearly every modern web page. Its appeal stems from its ability to bring online applications to life, create dynamic user experiences, and function across several platforms. While its benefits are compelling, in the absence of sufficient monitoring, it can produce security risks that remain undetected for a significant period, notably the widespread use of third-party JavaScript.

It is challenging for online businesses to maintain complete visibility and control over these scripts. In 2023, research by Jscrambler found that 80% of the 20 most highly trafficked US e-commerce websites had an average of 148 JavaScripts on their payment pages. 

Amid this opaque view of JavaScript, PCI DSS has included specific requirements (6.4.3 and 11.6.1) designed in part to detect any tampering or unauthorized alterations to the payment page that can result in the leakage of cardholder data. PCI DSS defines the scope of its requirements based on the cardholder data environment (CDE), which includes systems and processes that store, process, or transmit cardholder data. Any data leakage within the CDE is a significant violation of PCI DSS.

Conclusion

Effective data leakage management is built on a foundation of robust controls that dictate who can access what data. This essential requirement is achieved by blocking script misbehaviors using granular control of actions and access levels, allowing you to maintain the integrity of your website without compromising functionality.

Jscrambler can also help you keep pace with the dynamic regulatory compliance landscape—a challenge the updated PCI DSS has brought into sharp focus. With the structure in place to maintain compliance with its new provisions, your organization will reinforce its data leakage controls.