Case Study: The Cookie Privacy Monster in Big Global Retail

Cookie Privacy

Explore how an advanced exposure management solution saved a major retail industry client from ending up on the naughty step due to a misconfiguration in its cookie management policy. This wasn’t anything malicious, but with modern web environments being so complex, mistakes can happen, and non-compliance fines can be just an oversight away.
Download the full case study here.

As a child, did you ever get caught with your hand in the cookie jar and earn yourself a telling-off? Well, even if you can still remember being outed as a cookie monster, the punishments for today’s thieving beasts are worse. Millions of dollars worse.

Cookies are an essential part of modern web analytics. A cookie is a small piece of text data that records website visitor preferences along with their behaviors, and its job is to help personalize their browsing experience. Just as you needed parental consent to access the cookie jar all those years ago, your business now needs to obtain user consent before it injects cookies into a user’s browser and then stores or shares information about their browsing habits.

As custodian of the website cookie jar, your business can’t raid it like you did when you were six. You must get permission in both situations, but these days the punishment can be hefty fines from data privacy regulators and expensive lawsuits from users.

A new case study from Reflectiz, a leading website security company, highlights how its advanced exposure management solution saved a major retail industry client from ending up on the naughty step due to a misconfiguration in its cookie management policy. This wasn’t anything malicious like a web skimming or keylogging attack, but with modern web environments being so complex and companies like this one having hundreds of websites to maintain, mistakes can happen, and non-compliance fines can be just an oversight away.

For the full story, you can download the case study here.

A Little About Tracking Cookies

Tracking cookies has been around since the early days of the internet. In 1994, Lou Montulli, a programmer employed by the precursor to Netscape was working on an e-commerce application for MCI, one of its clients, which had requested a virtual shopping cart. He invented cookies as we are verifying whether users visited the site before and remembering their preferences.

Stories began to appear in the news around cookies’ potential to invade privacy, but despite public concern, it wasn’t until 2011 that the European Union enacted legislation to ensure that websites obtain users’ explicit consent before using cookies.

Unauthorized Tracking Without Cookie Consent

In this new case study, a global retail client sought to continuously monitor diverse user journeys on their websites, uncovering that 37 domains were injecting cookies without obtaining proper user consent. The retail company’s conventional security tools remained blind to this issue due to constraints imposed by their organizational VPN, limiting visibility. Furthermore, the rogue and misconfigured cookies were injected into iFrame components, creating challenges for standard security controls like WAF to monitor effectively. Download the full case study here.

The Client’s Problem: Blinded by VPN

Although the retailer’s platform already had other security solutions in place, it was blind to the problem, which was this: on 37 of its websites, cookie tracking was taking place without obtaining explicit consent from visitors. This was happening via iFrames (which are used to embed content from one website inside another) that were obscured by a VPN. This masked their activities and made the cookie consent issue invisible to the other security solutions.

Although this was a damaging oversight, at least the data was not being sent to malicious actors. Instead, Reflectiz discovered that it was going to a legitimate third-party advertising service.

The High Cost of Non-Compliance

For a company with customers in the European Union, GDPR applies, and a violation of its cookie consent rules is classed as a Tier 2 category offense. Under this regulation, businesses that fail to obtain valid cookie consent could be fined up to 4% of their global annual turnover or €20 million ($21.94 million), whichever amount is larger. This is why having the ability to track the behaviors of every asset connected to a website is so important, and why Reflectiz was such a lifesaver in this instance.

The Solution

Reflectiz saw what the other solutions couldn’t. It identified the 37 domains where cookies were being used without consent, discovered where the data was being sent (in this case, a legitimate advertiser), and empowered the retailer to fix the problem before it could escalate.

The Reflectiz platform gives companies in the retail, finance, medical, and other sectors the insights they need to maintain compliance with data protection standards and avoid similar incidents that can result in fines, lawsuits, and reputational damage. It’s remotely executed so there’s virtually no performance impact, and the intuitive interface means that employee onboarding is swift.

Key Takeaways

  • Consent Oversight: The platform failed to detect and inform users about certain cookies injected without proper consent, lacking a consent box on the website.
  • VPN Secrecy Unveiled: Reflectiz’s monitoring exposed 37 domains injecting cookies without user approval, traced back to a location initially hidden by an Organizational VPN.
  • Third-Party Data Compromise: Compromised data reached an external domain through unauthorized cookie injections triggered by a specific user journey.
  • Unnoticed iFrame Tracking: Unmonitored iFrame activity contributed to privacy violations by tracking user data without consent.
  • Misconfigured Cookie Threat: A misconfigured cookie facilitated the privacy breach, posing a significant threat to user privacy.
  • Communication Breakdown Lesson: Improved inter-departmental communication, especially between security and marketing, is crucial to prevent issues related to third-party code implementation.
  • Continuous Monitoring Crucial: The case highlights the critical need for continuous monitoring and vigilance in the ever-evolving landscape of online privacy to uphold user trust and comply with data protection regulations.

For more background and an in-depth analysis, you can download the full case study here.



Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

To keep up to date follow us on the below channels.