On January 1 of this year, the California Consumer Privacy Act (CCPA) came into effect. This regulation, similar to the European Union’s GDPR, aims to protect consumers’ data privacy in the state.
While preparing for compliance with regulations such as the GDPR and CCPA, security and compliance units within an organization may overlook certain technical vulnerabilities in their data transmission, processing and storage infrastructure.
Battling the ‘Bad’ Bots
With the help of these vulnerabilities, fraudsters can deploy bots to steal data from websites, mobile apps and APIs. The stolen data is often sold by these cyber criminals in the ‘Dark Web’ or illegally used to commit fraud, theft or espionage.
It would be prudent for security and compliance teams to completely identify any attack vectors and protect consumer data from being scraped by malicious bots. As bot management specialists, we are frequently approached by enterprises to address any gaps in their compliance preparations in order to mitigate against such bot attacks.
With the onset of the CCPA, we have also started partnering with organizations to insulate them from bot attack vectors to ensure their consumer data is protected.
Our threat research team has identified key threats which can potentially expose organizations to consumer data protection vulnerabilities, such as:
Account takeover: Using credential stuffing or brute force attack, fraudsters expose private data to theft and other malicious activities.
Content scraping: Industries in which significant amounts of personal user data are involved (such as classifieds, financial services, media & publishing, and e-commerce, for example) are at significant risk of exposing their users’ private information to bots.
Digital ad fraud: Both advertisers and publishers face serious bot threats in the form of behavioral cookies being scraped, or unprotected session data being stolen to uncover user identities. Without a bot protection system, critical data pathways will certainly be vulnerable to sophisticated bot attacks.
Just like GDPR, even CCPA makes cookie theft a liability to the businesses in the name of ‘Unique Identifiers’ stealing personal data without consent. So, it becomes important for the organizations to protect their consumers’ personal information from getting scrapped by unauthorized third party services in the name of cookies.
It’ll Cost You…
Also similar to GDPR, the CCPA imposes large monetary penalties in the event of any data breach. Depending on the violation occurred, penalties start at $2500 for each individual violation and can go as high as $7500 per violation. When personal data on thousands of users gets breached, organizations could end up paying tens (or hundreds) of millions of dollars in penalties and related costs.
As a leader in security and data privacy, Radware strongly recommends that organizations execute a stringent data protection process and partner with a dedicated bot management solution provider to ensure data compliance, maintain their brand reputation, and to avoid potential fines and penalties.