In this exclusive Q&A Daryl Crockett, CEO and founder Valid Datum discusses the nefarious nature of the modern-day hacker, what our rights really are when it comes to GDPR and explains why something called ‘micro-tokenisation’ might well be the key to keeping breaches at bay.
What sort of things do hackers use our data for?
Hackers can have several motives for obtaining your data:
1. To sell your data to another criminal: If you are part of a mass data breach, then the most likely path is to sell it on the dark web. Stolen personal data can sell for $5-$6 USD. Stolen data can be sold many times over and can linger on the dark web for years.
2. To gain access to your banking or credit card info: Stolen data such as login IDs and passwords obtained from one site can be used to try as logins on higher value sites which contain financial information such as bank accounts or credit card info. The credit card information can be used to
3. To gain access to your business or your employer’s data: People are the weak link in a company’s security, so thieves often target employees to gain access to corporate data.
4. For gaining access to a broader audience: Thieves steal your identity to take control of your email contact list, Facebook and Instagram contacts to be able to mass market without your permission.
5. Personal maliciousness or mischief: Some hackers target high profile individuals as a form or personal or political vengeance or just for the sport of landing a big Phish.
Can GDPR actually help protect us from breaches? Without the correct implementation, surely it’s just four letters that don’t mean a great deal.
The regulations alone which comprise GDPR do not protect consumers from data breaches. The simple fact is, even if an organisation reaches GDPR compliance, this achievement alone does not guarantee protection of personal data.
What the regulation does provide is an assurance that a GDPR “compliant” organisation identifies and maps all data sources and repositories, prescribed documentation and data risk assessments are created and maintained, and appropriate security controls are implemented.
The aggregate effect is a greater level of data privacy for EU citizens, however, the one advanced technical measure, called “micro-tokenisation” (a form of pseudonymisation) would most certainly protect personal data from the risk of mass data breaches. Micro-tokenisation is now drawing major interest from within the US military and other Government sectors and is garnering notice from commercial sectors as well.
Valid Datum strongly advocates the implementation of advanced technical controls for personal data which has been classified as “high risk”. And not all software which pseudonymises data is created equal. Advanced technologies such as micro-tokenisation encryption (MTE) generates the strongest form of data pseudonymisation. That said, under GDPR, pseudonymisation is only “advised”, not required.
Say a company does suffer a breach and our bank details are released, what rights do we actually have as the customer? This has happened to me personally and I was simply told ‘contact your bank’ which I (and I’m sure many others) don’t think is good enough.
Under GDPR and DPA 2018, the language regarding communications to data subjects as a result of a data breach seems relatively straightforward:
“Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must inform the data subject of the breach without undue delay.”
But is there any recourse for the data subject whose bank details were compromised? As Europeans start to flex their collective data subject “muscles” by exercising their rights as EU subjects under GDPR, scenarios such as the breach of bank details as described above will result in a significant increase in class action suits.
The British Airways data breach in September 2018 led to a massive class action suit. The results of this suit, and many others (unfortunately, the courts are now choked with these suits), will be watched closely (there have been no rulings on class action suits since the inception of GDPR). If the suit against British Airways is successful, each data subject will be able to claim £1,500
Frankly, the teeth behind GDPR data subject rights will only bear fruit if/when companies receive large fines (only small fines have been levied to this point) and courts rule in favour of class action suits, or a competitive market advantage is eroded.
When it comes to the physical data centre wherein much of our private personal data resides, what levels of security do you feel are necessary to avoid a breach or attack?
Data Centres should adhere to a list of standards and best practices, necessary to protect your firm’s intellectual property, and sensitive personal data.
The list includes SSAE 16 (Type II), ISO 27001, SOC 2 Type 2, SOC 3 Type 2, PCI DSS for those that require payment card information to be secured, and HIPAA compliance for those that are securing healthcare information as well as self-certifying to the EU-U.S. Privacy Shield Framework.
In addition, many organisations adhere to ISO “27K” standards, which is a series of standards which relate to process and physical controls of information security systems (there was initial confusion when GDPR was enacted – some organisations believed if they were ISO27001 certified, by default compliance with GDPR was obtained – but this is not true!)
It is critical that we do not confuse compliancy with security. While compliancy is a first step, and certainly a requirement under GDPR, do not be fooled into thinking your data centre is safe from malicious actors.
Additional security, such as implementation of a shared Digital Vault, private Digital Vault, and or deployment of technology such as MicroToken Exchange, provides unassailable data protection.
While many are lulled into a false sense of security assuming encryption minimises a firm’s security risks, this is simply not the case. We read about firms almost every week who are encountering mass data breaches, due to the use of non-effective encryption schemes (the recent Marriott data breach being good example – PCI data, such as credit card numbers, were encrypted, but there is suspicion the attackers were able to access the two data silos containing the encrypted data and the encryption keys, which could allow them to re-identify the card numbers).
Should a hacker wish to infiltrate a data centre, how are they likely to approach it?
The hacker has many options relative to compromising a data centre. Let us focus on three popular techniques used by hackers in 2018:
- DDoS attack; a distributed denial of service attack utilises botnets (which attaches to a machine as a result of malware) to overwhelming targeted web servers with traffic. A DDoS attack alone will not cause a data breach, but if control of a system is obtained a vulnerability can exist leading to other methods causing the actual breach.
- Web application attack; hackers use methods such as SQL injection, cross-site scripting, and cross-site forgery to compromise applications and steal data (this method played a role in the British Airways data breach).
- Brute force and weak authentication; many systems still enforce single-factor, password-based authentication. Hackers utilise a host of methods, to simple guessing, stolen credentials, and automated password compromising tools.
Cybercriminals generally fall into two main categories: State-sponsored cyber-terrorists and those attempting to monetise the activity. The hackers of today target all types of personal information for financial gain, but the most lucrative category of personal data is in the healthcare sector.
It is estimated a cybercriminal can sell healthcare data on the dark web for 200-300 pounds per record, while credit card data fetches only 5-6 pounds per record.
Do you think there is a skills gap present in the IT industry currently? Do ‘the good guys’ have the necessary skills to keep hackers at bay?
Not only is there a skill gap in the IT industry, but a shortage of cybersecurity professionals which has reached critical mass around the globe. A recent survey indicated 60% of companies across the globe feel they are at moderate or extreme risk of a cyberattack due to shortage of trained personnel.
Final word: What needs to happen next to ensure our data remains safe?
Data privacy laws such as GDPR, have certainly increased personal vigilance relative to data privacy. The law has provided the consumer the opportunity to take more responsibility and ownership of how their personal data is utilised.
Not to be overlooked, these new laws have forced companies to place greater emphasis on consumer data privacy by increasing budgets to implement programs and controls and creating new positions (such as Data Privacy Officer under GDPR) to comply with regulatory authorities.
As privacy and security by design principles are incorporated into new software and networking solutions, the risk of data hacks will be reduced. However, this transition will not occur overnight.
Many archaic systems are in place and budgets to upgrade can be limited. The first step without overhauling a system (assuming a GDPR compliance program has already commenced), is to secure private data by using the strongest form of tokenisation method for both data in transit and data at rest.