Don't Let Third-Party Tags Fly Away with Your Booking Codes: Data Security in the Transportation Industry

It's easier than ever to get around a city, country, or anywhere on the planet, thanks to the current digital sophistication in booking flights, rides, and other modes of transportation online. However, to offer customers a complete experience that meets all their travel needs requires transportation companies to integrate third-party tags from partner companies that an organization's development team may never even see, let alone secure.

Transportation companies use these third-party service tags to connect their websites to external sites, allowing them to upsell services to partner companies, such as car rental, hotel, or travel insurance companies. Website tags also collect data on user behavior, demographic information, and purchase history to personalize a customer's experience, as well as link to third-party chatbots for customer support.

These tags have certainly enabled players in the transportation industry to transform their digital business, integrating new functionality into their websites quickly to make it easier than ever for customers to make purchases and receive customer or technical support, quite literally on the fly. However, they also leave digital transactions exposed to external risks that an organization may not even be aware of. 

Risks of Third-Party Tags in the Transportation Industry: An Aviation Use Case

British Airways, for example, in 2019 was the victim of a Magecart attack in which attackers skimmed the information of about 500,000 customers from the company's website. The UK-based airliner not only lost customer data and confidence, but even incurred a fine of £183.39 million ($229.2 million at the time) for not reporting the incident according to the European Union’s General Data Protection Regulation (GDPR), which mandates the time frame in which a company must disclose a breach.

In fact, this incident spurred another airline serving international customers to approach Jscrambler and its client-side solution to secure their website, hoping to avoid a similar scenario.  Company officials suddenly wondered if their own website also had security gaps that cybercriminals could use to their advantage, threatening the safety of their customer data and dooming them to a similar fate.

When the company examined its practices, officials discovered a common problem among non-digital native organizations that are rapidly upgrading their digital business: their approach to security was more manual than technical, involving checklists and paperwork rather than a deeper understanding of how JavaScript and third-party tags on their websites function.
 

Even though the organization had security staff who could do the heavy lifting to secure new scripts as they were added, they prioritized innovation over process, finding workarounds to get things up and running quickly rather than doing due diligence to monitor new scripts in real-world conditions. This created security risks that could inadvertently open the door to compromise or be exploited by a threat actor.

Addressing the Security Risks

Enter Jscrambler's comprehensive client-side monitoring solution, which can help organizations not only discover places where third-party tags are putting data at risk, but also help them control these tags. Jscrambler provides policies and controls through which third-party tags must pass, ensuring that only the approved tag behaviors and data captured during a third-party transaction or interaction leave their secure website.
 

In fact, during implementation, Jscrambler made a critical discovery that one of the third-party tags the client was using to connect to a partner website was leaking customer booking codes from the client's website to the partner site during the transaction. 

This is no minor data leak, as these codes are the key to a person's reservation and hold a trove of personal and sensitive data about customers - including personally identifiable information (PII), travel plans, transaction data, passport information and the like - that could be exploited if it falls into the wrong hands. 

Jscrambler’s Client-Side Solution

While companies need to expand their partner ecosystem by connecting with third-party companies through tags, they also need to have controls like those provided by Jscrambler's client-side solution because "people make mistakes," says Rui Ribeiro, Jscrambler's CEO.
 

"The overall picture is: we need to have controls and make sure that all the third parties that you need to build an effective and practical website only have access to the data that they need to do the work that they need to do," he says.

Luckily, it was an easy fix to prevent the booking code from being shared with the partner company; however, this is a scenario that could occur with any transportation organization that uses tags to connect with partners for a modern website experience.

This type of inadvertent exchange of sensitive data, such as booking codes, is a security issue that many airlines and other transportation companies aren't aware of, Ribeiro says. That's why it's essential for Jscrambler to provide companies with visibility into the data exchanged between third-party tags and their website, and to give them control over the type of data exchanged.

To put such controls in place, the client used Jscrambler’s Form Fencing feature, which offers behavioral control over third-party tag access to form data based on polices and user-defined rules. In this way, the client is the one in the captain's chair, ensuring that only necessary scripts can read and access form data, thereby preventing malicious actors from siphoning sensitive information found in web forms.

Jscrambler's solution also provides clients with tag visibility by alerting them to significant modifications or non-compliant behavior in third-party tags, enabling continuous assessment of a company's exposure to third-party vendor risk. This feature is a competitive advantage over the static policies that other modern client-side protection solutions use, which can't keep up with third-party tag software updates.

Transportation companies want to focus on the digital experience they present to customers and not on worrying about how third-party tags might expose customer information. Jscrambler's client-side protection can help them maintain digital agility while ensuring cybercriminals don't use malicious scripts to fly away with booking codes – or any other sensitive data.