~4-5 minute read
© Tricia Dunlap
Part 1: What the Heck Are Piggyback Tags and Why Should I Care?
Every business website has “Tags” – they are the pixel or code mechanisms that facilitate the collection and sharing of data between your website and the services you rely on for site analytics and marketing. For example, if you use Criteo for retargeting and Google Analytics for Web Analytics, then Criteo and Google Analytics will each provide a different tag for you as a site owner to place on your website in order to fulfill the services you’ve bought from them.
There are thousands of marketing vendors, and each has their own unique Tag. The result is that websites usually have dozens to hundreds of authorized Tags that your organization has properly vetted, with each Tag performing its own unique tasks related to content, site functionality, sales optimization, and many more categories many of which are collecting data about your site’s visitors on your behalf.
That makes sense. If you’ve bought a service from a vendor, you expect your authorized vendor to gather the data or to perform the functionality that you require.
What you almost certainly don’t know is this- your authorized vendors have relationships with other vendors (often, data aggregators). These third-party vendors that you have not authorized also place Tags on your site via one of your authorized service tags, which essentially ride “piggyback” on your authorized vendor’s Tag.
That third-party, unauthorized Tag is called a “Piggyback Tag.”
Yes, you read that correctly. Your authorized vendor is likely allowing unauthorized third-party vendors to attach Piggyback Tags to their Tag. Those Piggyback Tags cling to your website like a baby chimp hanging off its mother.
It gets worse. Unlike the baby chimp, Piggyback Tags are not cute.
How Damaging Are Piggyback Tags?
The third-party, unauthorized vendors also have vendors. And those vendors in turn may also put a Piggyback Tag or two on your site. Imagine that baby chimp hanging on its mom. Now picture a second baby chimp hanging onto the first. Yep, that’s a Tier 2 Piggyback Tag. Only, the baby chimps are often invisible. It’s not unusual for a website to have hundreds of Piggyback Tags; a large website can easily have thousands.
Right this minute, as you’re reading this blog post, all of these vendors are creating significant downstream risks for your company because they’re collecting data from your visitors. You almost certainly don’t know:
- Who the vendors are
- Whether their Piggyback Tag is properly maintained
- What data they’re collecting, or
- How they’re using or selling the data.
- If those vendors GDPR or CCPA compliant
What’s more, Piggyback Tag vendors may fail to update or patch their product (as with any software product, updating and patching are essential). An unmaintained Piggyback Tag caused one of Equifax’s 2017 data breaches: criminals exploited an unpatched, vulnerable Piggyback Tag attached to its website and used it as a back door into Equifax’s data (this is also known as a “Supply Chain Attack”).
The criminals stole Equifax customer “names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed.” Equifax CEO, Richard Smith, lost his job and the company’s reputation sustained painful damage. Here’s what happened to its share price:
Since that time numerous large sites have fallen victim to via Supply Chain Attacks including British Airways, Ticket Master, and New Egg have had negative publicity following the announcement of the loss of customers’ Personally Identifiable Information (PII) data including credit card info.
Finally, Piggyback Tag vendors can change their data collection practices at their whim, so even if you’re complying with policy and law today, you might not be tomorrow.