It’s hard to do business without JavaScript. But if you’re not enforcing web app client-side protection, it can be pretty hard to do business with JavaScript, too.

JavaScript enables most of the functions you and your users take for granted on your website, like interactive behavior, web forms and credit card transactions. In fact, if yours is like most of the world’s largest and best sites there are likely dozens of third parties running JavaScripts on your site right now. Did you know?

At the same time, JavaScript is attractive to attackers because of its role in passing data — particularly personal and financial data — between you and your users. This opens up a tremendous risk for breach and the ensuing response costs of clean up. It also opens up the risk to major secondary costs in the forms of fines and judgements. As data privacy laws become more common, your organization could be held liable if consumer data is stolen because of a problem like vulnerable JavaScript on your website.

For example . . .

Round-trip airfare. And a data breach.

In the UK in October 2020, the Information Commission’s Office (ICO) fined British Airways (BA) £20 million. Why? Because the airline failed to protect the personal and financial details of more than 429,000 customers and staff members in a 2018 data breach. BA thereby ran afoul of requirements of the General Data Protection Regulation (GDPR). A critical note here – the original fine was $230 MILLION DOLLARS but due to pressure on the industry from COVID downturn, the amount was reduced.

British Airways plane
British Airways was the victim of a data breach as a result of a Magecart attack. The airline was fined £20 million for failing to protect their customers.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result,” said Information Commissioner Elizabeth Denham. “That’s why we have issued BA with a £20m fine – our biggest to date.”

The ICO made it clear that BA itself had not been the ones to detect the attack. An outside party discovered it more than two months after it happened.

The attack, suspected to be Magecart, exploited and modified just 22 lines of JavaScript to digitally skim the payment information off BA’s website and mobile app. The ICO’s report concludes that, “the infringements constitute a serious failure to comply with the GDPR and, accordingly, that the imposition of a penalty is appropriate.”

Important note – no victim shaming here – BA isn’t alone in either the risk nor the impact of this type of breach.  The vast majority of websites in the world today are susceptible because web app client-side protection is just now coming to the forefront of priorities to focus on.

“Sorry – Could you delete all that data we accidentally gave you in cleartext?”

Similarly, Ally Bank lost face in June 2021, disclosing that their website had sent customers’ usernames and passwords in unencrypted text to external partners.

Although Ally Bank encrypted and hashed user data when it reached their servers, JavaScript on the web app client side allowed third-party skimmers to collect user login information as cleartext. Two months after Ally Bank discovered the vulnerability, they disclosed it in a letter to customers.

“A programming code error associated with Ally’s website inadvertently revealed Ally’s customers’ usernames and passwords to third parties with whom Ally had business relationships,” read the letter. They noted that they had asked the partners to delete the sensitive user data.

The bank’s use of JavaScript in a web app accessing user data has led to trouble. Ally Bank currently faces a class action lawsuit that could have expensive consequences: an earlier (unrelated) class action lawsuit against Ally Financial in 2021 ended with Ally settling for $787 million.

The risk is so pronounced that this has to be something you take seriously.

It’s time to focus on web app client-side protection

Face it: The pain these organizations have dealt with isn’t something you want to feel because you didn’t have client-side protection on your radar.  

What is the JavaScript on your website doing that you and your users don’t know about? Can your customers really trust it to protect the personal and financial they give you? How much risk do you feel like taking on?

About 98% of the top 10 million websites use JavaScript client-side. Unless you know something that all of them don’t know, you should be concerned about malicious attacks on JavaScript. Nearly every company with a  web presence, in most industries — including retail, healthcare, financial services and hospitality — relies on client-side JavaScript to handle user information.

With Magecart malware (“formjacking”) kits selling for as little as $1,300, the threshold for becoming a cybercriminal is disconcertingly low, leading to an increase in the number of attacks. Attacks can linger undetected for months, meaning that the longer you wait, the more your liability grows.

Why run the risk of huge fines or lawsuits over a JavaScript vulnerability? There are ways to avoid that risk with cost-effective, automated solutions that you install easily, and that your security teams don’t have to maintain. Protection without a headache comes in the form of JavaScript sandboxing from Source Defense.

Learn more about the Source Defense approach to web app client-side protection of your customers’ sensitive data.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.