3rd Party Libraries: Your Next Data Breach Nightmare

A little over a week ago, the security researchers at ReversingLabs uncovered an attack where they discovered a bunch of malicious Javascript libraries offered via an NPM package manager that were stealing personal data. These malicious libraries had similar names and employed an interface similar to official libraries which made the developers unintentionally use them in their products. The obfuscated code in the libraries made it impossible to understand how they functioned. The libraries were stealing and sending data from the user forms to their domain. There were thousands of downloads of these malicious libraries.

Wait, isn't this a supply chain attack? How does it relate to privacy?

This attack shows that hackers increasingly use supply chain attacks to steal sensitive data. SolarWinds hack, one of the biggest supply chain attacks of the 21st century, impacted 18,000 customers. Most supply-side attacks aim at gaining access to data - predominantly customer data, including personal data and intellectual property. It's a privacy threat disguised as a supply chain issue.

Currently, privacy teams operate outside the engineering walls. The data protection team works on the controls for data discovery, cataloging, access control, etc., on the right-hand side of the development cycle once the data has been collected and processed. These teams have zero visibility into the software development life cycle. They are unaware that third-party libraries freely chosen by developers can pose significant privacy risks. There is a need to bring visibility into third-party usages and data flows.

Below are the three reasons why Privacy and Data Protection Teams should care about the third-party libraries used by developers:

1. Compromising customer's data through accidental use of the malicious libraries
   As we saw above, developers can use malicious or unauthorized libraries that could lead to data breaches. Customer data, including sensitive, personal data, is often the primary target of these attacks. There is a significant risk of compromising your customer's data.
2. Attracting fines for the incompatible usage of the personal data
   Sharing data with third parties may lead to incompatible usage of the personal data, which is not mentioned in your Privacy Policies or Data Processing Agreements. For example, a leading period and fertility-tracking company was fined by FTC because in their privacy policy they promised health data will not be shared with any third party, in reality health events were flowing to Google and Facebook SDKs. Until privacy teams can enforce personal data usage policies at a code level, such fines will continue to repeat.
3. Inaccurate & out of date Data maps and Article 30 Reports
   Development teams have heterogenous tech stacks with thousands of third-party libraries. Developers continue to integrate and share data with third parties. It is challenging to keep manually generated Data maps and Article 30 reports up-to-date due to the velocity of the Development teams, resulting in inaccurate and stale reports.

‍

Privacy and Data Protection Teams must embrace a proactive approach to identify and mitigate the risks. The data vulnerabilities and non-compliance often result from how applications are developed. Privacy Code Scans allow privacy teams to identify data flows, enforce privacy policies in code & provide guidance to developers on privacy issues as they are building products & applications. With this approach, privacy teams can take a proactive approach & Shift Privacy Left where the cost of fixing privacy issues is less & there are no privacy breaches!

At Privado, we have a core belief that consumers deeply care about privacy, and privacy is critical for the internet economy to function. Our mission is to empower developers to create privacy-first products. Our static code analysis platform lets you track the usage of personal data across all third parties used by your developers. Schedule a demo if you resonate with our mission and want to see how we track data flows to third parties.