The data breach at credit reporting agency Equifax, the gory details of which became clear last week, is the latest installment in a series of cybersecurity disasters in which consumers have been at the receiving end of the miseries. The breached data affected the information of 143 million people. That’s not a big number when compared to some of the bigger data breaches of the past year, such as Yahoo’s 1 billion user account record breaker.
However, what made the Equifax breach especially damaging was the sensitivity of the data that attackers laid their hands on. This included Social Security numbers, driver’s license numbers, credit card information, birthdates and addresses, and more. The only data breaches that compared in terms of severity were Anthem (approx. 80 million people affected) and the Office of Personnel Management (approx. 21 million people affected).
What makes matters worse is that Equifax professes to be a company that protects its customers from identity theft, the same kind of cyberattack that the stolen data will enable. The company is now scrambling to make amends with customers, and is getting ready to face several lawsuits. But that won’t bring back the data that has slipped through its fingers.
Disappointingly, a web server vulnerability, a patch for which had been available at least two months before the breach, was how the attackers were able to break into the company’s network, not an excuse for a company that bills itself as a protector of consumer data.
The main takeaway is that whatever company you trust with your data, no matter how adept they are (or claim to be) at protecting their network against cyberattacks, they will eventually let their guard down, as Equifax showed. After all (and I know I’ve said this a thousand times), cybersecurity experts have to win every battle—cybercriminals only have to win once.
However, the way the internet currently works, we are required to provide our personal information to every new service we sign up with. And every time we give away such information, we’re expanding our personal attack surface. How many times have you typed in your SSN, credit card number, copy of your driver’s license, or other information that can be used to perform or approve sensitive operations? The most likely answer to that question is, “I don’t know.”
Every company needs to leak a fraction of your information, not all of it. Cybercriminals are a patient lot. They will meticulously gather and link those bits of information along with the ton of information that is publicly available about every single one of us to create digital profiles. And they don’t need to do it manually. They can use machine learning algorithms, programs that automatically find patterns and correlations in the reams of data they gather. Those profiles can be used to stage spearphishing attacks, take ownership of social media accounts, email accounts, bank accounts, impersonate targets, and more.
The bigger threat is to your identity itself.
So what is the remedy? That is still up for the debate. I think giving full ownership of data to users is a better alternative to the current broken state of personal information storage and protection. There are currently plenty of new technologies that help protect personal devices against data theft or intrusion. However, they’re useless when the data is supposed to protect is lying elsewhere, on a server that has unpatched vulnerabilities.
Secure smartphones, blockchain technology and artificial intelligence can be the key elements of secure personal data stores. I recently reviewed some interesting solutions in a VentureBeat article. The goal would be to restructure the internet to shift from architectures that are created around applications to models where users and their data store sit at the center, in which applications request and acquire permission to use user information without storing it in their own back-end.
How do these technologies come into play? First, blockchain will be the distributed ledger where data ownership rights and encryption keys are stored. Blockchain will make sure no one but the user will own the data. The data itself can be stored in a back-end storage of choice, such as Google Drive or DropBox. Encryption will prevent the service from using the data for its own purposes. This is the model that blockchain project Blockstack uses to store user profile data.
The user will decide which applications will be allowed to access that information. In order to protect personal information, personal data stores can use encryption and distributed storage to provide computation functionalities without the need to reveal their content, a process known as “homomorphic encryption.” Enigma, a blockchain project developed by bitcoin entrepreneurs and the MIT Media Lab, has managed to accomplish this.
Mobile technology and artificial intelligence are the glue. One of the main barriers to giving users control of the data is the management and security burden it puts on their shoulders. Mobile devices are becoming reliable locations to store sensitive information such as blockchain encryption keys, thanks to technologies such as iPhone’s Secure Enclave and robust authentication and identification mechanisms integrated in modern mobile operating systems. And with AI assistants becoming more and more available, it’s easy to get help in managing your data and access to it. This is the idea behind Pillar Project, the blockchain-based, personal wallet that will store and manage all your digital assets, including cryptocurrencies, contact information, health records, Social Security numbers, etc.
With such a system, massive data breaches like the Equifax disaster would not happen, because there would be no central store for cybercriminals to hack. This would lift the burden of data protection from the shoulders of online services and distribute it across users, the real owners of the data. And they would have the means to protect themselves.
Truth be told, getting around all the technical, legal and social barriers to create a web that will put the power of data back into the hands of users is easier said than done. And to be fair, this is not a perfect solution, and it would have its own set of security challenges where individual users become the target of hackers. But users are already being targeted for their data and assets, so that wouldn’t be a big change. The real change would be that those users would be more savvy about the value of their data and would put the tools—that are certainly at their disposal—to use to protect that. At least, the next time someone will try to steal your data, you will be able to do something about it.