Third-party data is a type of data typically collected for marketing and advertising purposes. Unlike First Party Data where the information is collected directly from the source, and Second Party Data where businesses can buy First Party Data from other companies, Third-Party Data is bought from data aggregators who are not the original owners of the data.
This type of data is aggregated and packaged by a third party and sold to companies. The third-party has no direct relationship with the data subject and is not the original collector.
When marketers discuss first-party and third-party data, they mean information that helps them target ads better. This data allows them to customize offers for their consumers. This often comes in the form of cookie information that they can use to target and track specific users.
Marketers often use this data in a demand-side platform. It helps decide which ad impressions to buy from exchanges. This way, it can get the best possible returns.
Third-Party Data Breaches:
As online transactions became more common, companies started to collect and store vast amounts of customer data; such as names, addresses, and payment details. It also made businesses rely more than ever on third-party vendors for various services; such as payment processing, cloud and infrastructure engineering, API integrations, customer support, and marketing.
A third-party data breach is an incident where sensitive data from an organization is not stolen directly from it but through one of its third-party vendors. In this case, the vendor’s systems are misused to access the organization’s systems.
These breaches are becoming increasingly common and as a result, organizations are often unable to visualize where their data goes. Sensitive data can easily be shared with suppliers and subcontractors that in contradiction the organization knows little to nothing about.
Some recent examples of third-party data breaches in the Ad-Tech industry:
Dollar Tree:
In November 2023, Dollar Tree announced a data breach that affected almost 2 million people. This happened after service provider Zeroed-In Technologies was hacked. Hackers stole the personal information of Dollar Tree and Family Dollar employees on August 7 and 8, 2023. The stolen data includes names, dates of birth, and Social Security numbers.
Okta:
In October 2023, Okta was contacted by Rightway Healthcare. They informed Okta about unauthorized access to an eligibility census file. This file is maintained by Rightway as part of their services to Okta. The information that was exposed was related to almost 5,000 Okta employees and their dependents as regards personal and health data
Microsoft:
In January 2024, an assault on its email systems was discovered by Microsoft's Security Team, with the perpetrator later identified as Midnight Blizzard, also recognized as NOBELIUM, a Russian state-backed actor. This continuous event breached email accounts and data of both US government departments and commercial enterprises. Approximately 60,000 emails from the State Department were downloaded by the hackers alone.
LinkedIn
In March 2023, LinkedIn announced a data leak impacting over 700 million users. The leak happened when cybercriminals took advantage of a flaw in a third-party software library utilized by the firm. The compromised data encompassed users' names, email IDs, and other private details.
Volkswagen
June 2021, US Unit said that a data breach at a vendor impacted more than 3.3 million customers and prospective buyers in North America.Volkswagen Group of America said an unauthorized third party obtained limited personal information about customers and interested buyers from a vendor that its Audi Volkswagen brands and some U.S. and Canadian dealers used for digital sales and marketing.
Uber
In December 2022, Uber acknowledged a data breach by a third party following the online posting of Uber and Uber Eats staff email addresses, IT asset details, and corporate report data by a malicious actor. According to security experts, the exposed data provides sufficient information for launching specific phishing attacks on Uber's workforce.
American Express:
In March 2024, American Express disclosed that a cybersecurity event had affected an unnamed third-party merchant processor. This breach in the third-party's security led to the exposure of confidential customer information, encompassing existing or formerly issued American Express card account numbers, cardholder names, and other card-related details like expiry dates
and the list keeps growing every week…
Challenges with Third-Party Data:
- Data Leakage
These can occur when users traverse the web, leaving a trail of demographic information, purchase history, location data, content consumption history, and more signals across the websites they visit.
Third-party cookies make data leakage possible by enabling parties who don’t have a direct relationship with the user to build audience segments or misappropriate targeting data that the website owner may not have agreed to or known about. This not only negatively impacts user privacy but also harms publishers by allowing ad tech to reuse this data elsewhere without compensating the publisher at all. - Data Accuracy
One of the major challenges is ensuring data accuracy. Third-party data, collected from various external sources, may not always be reliable or up-to-date. This can lead to inconsistencies and inaccuracies in customer profiles, ultimately affecting the quality of marketing strategies and decisions. - Google Issue:
The impending Google phase-out of third-party cookies further complicates the use of third-party data. This shift demands that businesses find alternative methods to track and understand their audience.
Google Timeline:
- January 2020: Google first announced the phase-out support for third-party cookies in the browser.
- June 2021: Google announced a two-year delay for the third-party cookie phase-out to the second half of 2023.
- July 2022: Google delayed the phase-out plan to the second half of 2024.
- Q4 2023: Provides Chrome-facilitated testing modes that allow sites to preview how site behavior and functionality works without third-party cookies.
- Q1 2024: Disables third-party cookies for 1% of users to facilitate testing.
- Q3 2024: Google starts deprecating third-party data for all Chrome users.
The Road Ahead:
The exploitation of trusted third parties continues to be a prevalent security concern. According to research, 98% of organizations are affiliated with a third party that has experienced a breach. Furthermore, third-party attacks have led to 29% of breaches. The far-reaching consequences of these incidents, from financial losses to compromised customer data and support, and eroded consumer trust, demand immediate and concerted action.
It is essential to understand that the world of digital marketing is undergoing a significant transition and at Carter, we aim to navigate the risk imposed via Third-party data and work on enabling deep, direct relationships while maintaining transparency and trust among your customers.
Want to know how? Try Carter
