CISOs can learn two lessons from a US health insurance provider’s admission this month that misconfiguring Google Analytics led to the disclosure of personal health information of 4.7 million subscribers, says an expert.
Those lessons, according to Brandon Evans, a senior instructor at the SANS Institute and a Tennessee-based independent security consultant, boil down to this:
- read the documentation of any third party service you sign up for, to understand the security and privacy controls;
- know what data is being collected from your organization, and what you don’t want shared.
“It’s important to understand these giant platforms make it easy for you to share your data across their various services,” he said. “So look out for settings to share data that you may not intend to share.”
Evans was commenting on Blue Shield of California’s admission that, because its Google Analytics service was configured to allow some data to be shared with Google Ads, between April 2021 and January of this year a wide range of its data may have been used for targeted ads. According to the US Department of Health and Human Services’ web site, the data of 4.7 million members was exposed.
That information included members’ insurance plan name, type, and group number; city; zip code; gender; family size; Blue Shield assigned identifiers for members’ online accounts; medical claim service date and service provider, patient name, patient financial responsibility; and “Find a Doctor” search criteria and results (such as location, plan name and type, provider name and type).
There was no disclosure of other types of personal information, such as Social Security numbers, driver’s license numbers, or banking or credit card information, Blue Shield of California stressed.
This puzzled Evans. Usually, he said, Google Analytics measures a person’s use of a web site. Why, he wondered, would it have collected personal and health information.
Asked for comment about how the misconfiguration happened and what IT admins could do to prevent this happening to them, Blue Shield of California referred CSO to the company’s statement about the incident.
Common cloud misconfigurations
Misconfigurations by admins, including insecure default software settings, enabling unnecessary features, giving users overly permissive access, and insecure API configurations – give CISOs grey hairs.
“This kind of thing happens all the time and is an inherent risk in using services provided by companies who work in many areas,” Evans said in an interview, noting that he’s not surprised at the Blue Shield of California incident. “Google does everything – they work in advertising, analytics, search, and cloud services. Technically speaking, if you share your data with an organization like Google, it is impossible to guarantee that data will not be used in another context.”
He noted that they might not intend to use your data, but nothing is stopping them from taking the data you shared in one context and using it in another.
“Even though Google is a reputable organization that offers its customers extensive security controls, they have a purposefully reasonable incentive to make it easy for customers to share data across Google services,” he said. In fact, Google touts on its web page the benefits of connecting Google Ads to Google Analytics.
On a separate page, Google also details privacy controls in Analytics, including explaining how to disable advertising features.
”It’s very important [CISOs] review the settings on any platform you use,” Evans said. “While Google has an incentive to push you in the direction of using these [data] integrations, they are also, I am certain, very transparent about what these settings do.” So, he said, know how any service’s security and privacy controls work.
“Regardless of what precautions an admin takes,” he stressed, “if there is a concern by the organization that Google Ads would use this information, they should really consider whether or not they should be using a platform like Google Analytics in the first place. Because from a technical perspective, there is nothing stopping Google from sharing the information across its platform. … Google definitely gives you a great bunch of controls, but technically speaking, that data is within the walls of that organization, and it’s impossible to know from the outside how that data is being used.”
The bigger question for a CISO to consider, he added, is whether data sharing with a third party is part of their threat model. There is inherent risk in sending data to a cloud provider, he said, but that risk may be outweighed by the benefits of using a reputable cloud provider.
“From a CISO’s perspective, here’s the key,” said Esnar Seker, CISO at SOCRadar: “When configuring Google Analytics, you must ensure that no query parameters, form inputs, or dynamic page elements can inadvertently pass sensitive data into the tracking code,” to prevent it from tracking URLs with embedded personal information. For example, he said, if your application generates URLs like example.com/results?user=JohnDoe&dob=01011990, Google Analytics will collect those parameters unless the data is explicitly filtered out.
Letting Google Analytics capture form field values should also be avoided, he said. This includes names, emails, birth dates, or anything classified as personally identifiable information or personal health information. Many sites unintentionally pass these through JavaScript variables that Analytics scripts can pick up, he noted.
Risk mitigation
In the Google Analytics admin console, admins should:
- Disable enhanced measurement features like site search tracking or form interactions unless they’re certain they don’t expose sensitive data.
- Use filters to strip URL parameters that may contain identifying information.
- Limit access to Google Analytics configurations to only those with proper data privacy training, and ensure there’s an infosec sign-off on every implementation or change.
Never rely on Google Analytics to secure or anonymize your data, Seker added. It is not a security tool. Admins must ensure the data being sent is safe, before it ever reaches Google’s servers.
“Lastly, don’t assume that just because it’s ‘analytics’, it’s low-risk. Breaches like this prove that even passive tracking can become a major compliance failure.”
Asked for comment, a Google spokesperson said, “Businesses, not Google, manage the data they collect, and must inform users about its collection and use. By default, any data sent to Google Analytics for measurement does not identify individuals, and we have strict policies against collecting Private Health Information (PHI) or advertising based on sensitive information.”
The original article found on Lesson from huge Blue Shield California data breach: Read the manual | CSO Online Read More
