Ending data breaches

4 years ago   •   7 min read

By Fernando Sanchez

Large-scale data breaches in recent times have seriously undermined customer confidence about corporations' ability to keep personal information safe and secure. Blockchain technology decentralizes datasets, disincentivizing malicious actors from accessing information honeypots.

In the past decade, two landmark events torpedoed customer trust in large corporations below the waterline. Two incidents in which the identities of hundreds of millions of people, who believed their data was safely stored online, were misappropriated by third parties.

Cambridge Analytica and Equifax have become synonymous with identity theft, and by extension, mistrust in corporate entities that were hitherto free to manage and handle the confidential data of millions of people in any way they saw fit, with somewhat predictable consequences.

Cambridge Analytica

When news of the Cambridge Analytica scandal exploded back in 2018, the internet grew a little darker almost overnight. Data harvesting was nothing new (data-extracting bots and scripts had been roaming the web for years), but the factors that set the Cambridge Analytica affair well apart from any previous data harvesting incidents were a) its sheer scale, and
b) the sinister political ramifications of what’s arguably one of the greatest data-related scandals of the past decade.

The scale of the event was breathtaking, with an estimated 50m Facebook accounts becoming compromised. Yet, despite the enormity of the incident, when speaking on CNN, Facebook CEO Mark Zuckerberg simply referred to the debacle as a ‘mistake’ and ‘a breach of trust.’ In March 2018, he published a letter apologizing on behalf of his company. And by April, Facebook finally implemented the EU-mandated General Data Protection Regulation (GDPR) framework in all geographical areas where the social media giant operates. Still, the Cambridge Analytica event casts a long shadow over Facebook’s privacy policies to this day.

Equifax

The extent of the Cambridge Analytica incident would soon be dwarfed by another large-scale data breach, this time affecting Equifax, one of the world’s largest consumer credit reporting agencies.

The Equifax hack, which had commenced as far back as 2017 but only became publicly known in 2019, affected the data of hundreds of millions of people whose records were under the company’s custodianship. That is hundreds of millions of personally identifiable records, including names, addresses, social security numbers, driver license numbers, credit card numbers (around two hundred thousand of them), and other sensitive information. The Equifax hack was particularly insidious, as data exfiltration had been ongoing for years before being detected.

Conservative estimations say that the records of at least 143 million people were compromised. To put this figure into perspective, that’s over 40 percent of the entire population of the United States.

Other data breaches

Cambridge Analytica and Equifax are perhaps landmark events in terms of data breaches, but they’re far from the only ones. As recently as 2020, several high-profile companies fell prey to malicious data hacks.

In February 2020, for example, MGM Resorts suffered a grievous infiltration that resulted in over 142 million personal records being posted to the Dark Web. These included the names, addresses, phone numbers, and email addresses of people who had stayed at the resorts.

Also in the same month, as many as 100,000 users of photography app PhotoSquared had their photos and other personal information stolen because of an unsecured database.

The following month, the second-largest pharmacy chain in the United States, Walgreens, reported that an undisclosed amount of customers who used its mobile app had their information compromised. The company did not reveal the true extent of the hack, but the app had by then been downloaded over 10m times.

In March too, General Electric, Marriott International were the target of data thieves. Zoom and Beaumont Health in April. The list goes on.

The consequences of data breaches

The fallout from these two events immediately threw the issue of how large corporations manage our personal data (and how safe our information really is, when handled by someone else) into the spotlight. Many people, rightly, began to question how can these companies guarantee the security and integrity of our data? Who’s looking at our personal information? And why should we trust these entities?

So the immediate consequences of data breaches (large or small) are clear:

  • From the customers’ perspective, trust in centralized organizations is eroded (or destroyed altogether)

  • From the businesses’ point of view, there is an obvious financial risk, the potential for devastating legal liabilities, and operational downtime. But perhaps the most devastating effect of a data breach is the enduring reputational damage that it inflicts.

Blockchain: A decentralized solution to a centralized problem

Large-scale data breaches, much like air disasters, are hardly ever attributable to a single point of failure. Usually, there is an unfortunate but definite chain of events that ultimately results in catastrophic failure. Many factors might contribute to hacking incidents: Lax cybersecurity, for instance. Equifax is a prime example of this: A well-known Java vulnerability that should have been patched but hadn’t become the ‘back door’ exploited by infiltrators. Cambridge Analytica’s issue wasn’t so much a hack in the strict sense of the term. Instead, a seemingly innocuous survey was used to gather data to be sold to third parties.

But if there is one issue that stands out as the main facilitator for a hack is the centralized nature of all these companies. IT systems, while backed up and sometimes featuring redundancy, are inherently central points of interest for would-be hackers. Servers, databases, and other such frameworks, if penetrated, usually enable attackers to move around as they please. While the chance of detection exists, this risk is minimized (or altogether removed) by security failures (Equifax administrators didn’t notice their systems had been compromised for about 18 months.)

In a decentralized network, every participating computer holds an exact copy of the blockchain, so any attempt to tamper or alter a record would be noticed immediately. From a security standpoint, blockchain offers a far more resilient framework right off the bat.

Benefits of SSI to the enterprise

The shift to digital identity management is a crucial consideration in today’s enterprise space. The degree of potential and applicability in each enterprise will depend on factors such as the company’s size, sector, governance requirements, and many others. But a SSI framework can deliver a host of benefits and advantages that support its adoption.

Fraud reduction

Fraud is a constant threat to any business. Equifax paid dearly for the hack we discussed earlier, to the tune of $2bn so far, according to some sources. Removing the possibility of fraud through digital identity is a must for any enterprise. This alone would warrant heavy investment by businesses around the world.

Reduced customer onboarding costs

Within the confines of the financial industry, customer onboarding is currently a costly and long-winded process. Compliance training alone ranks among the highest yearly expenses incurred by banks, reaching up to $4.5bn. Yet, Know-your-customer (KYC) and Anti-money laundering (AML) training is a keystone of the sector, so it’s unavoidable.

A lot of the difficulties associated with KYC, AML, and compliance training derive from the fact that there’s a lot of paperwork involved. Delving into a particular individual or organization’s financial past can lead down a complex and deep rabbit hole that could take weeks, if not months to fully explore before making a decision. The availability of all this information in a digital and cryptographically signed form that could be verified in real-time thanks to the full auditability of the blockchain would resolve these issues. This would produce great savings in terms of money and time, potentially reducing the onboarding process to a matter of hours.

Reduced customer service costs

The customer is always right, as the adage goes. But to make sure customers are heard and dealt with in a manner that is satisfactory both for the customer and the enterprise, businesses invest large amounts of resources to the creation of customer support platforms, with various degrees of success.

It is a costly affair, too. According to Forbes, businesses can lose up to $75bn due to poor customer service, and a large chunk of this loss stems from lost or misplaced passwords, difficulties accessing services due to administrative errors, and related problems.

SSI can counteract this trend by creating a framework of passwordless authentication, for example, and generally creating a smoother and more positive user identification and authentication environment.

Tamper-proof data provenance

Determining the legitimacy of a specific piece of information can be very difficult. The outcome of a long process of research might not even be absolute, in terms of knowing with a 100% degree of certainty that the origin of a piece of data is legitimate. In other words, doubts and questions might remain.

Tamper-proof digital identifiers completely remove this uncertainty, as blockchain’s immutability assures that data is legitimate, and its origin is clear and unequivocal.

Conclusion

Data breaches affect not only the enterprise directly involved in the incident. These events affect us all. In 2016 alone, for example, credit card and identity-related fraud cost upwards of $16m in the United States alone. These costs might be passed on to customers in the form of fees, or increased premiums.

Blockchain offers two key assets to eradicate data breaches:

  • Immutability

  • Decentralization

By creating an environment where every participant can see what’s happening in the network at any time, data manipulation becomes much harder, if not impossible.

Atala PRISM comes to eliminate business risks and facilitate handling personal data in a more customer centric way

Atala PRISM is a decentralized identity solution that enables organizations to interact with their customers in a seamless, private, and secure way. Fully compliant with regulatory requirements (including GDPR), the solution has built-in data and privacy mechanisms. This resiliency of the solution creates a limitless trust network that significantly reduces any business risks associated with holding customer data. The serverless apps that Atala PRISM provides store personally identifiable information with the end-users. In this way it eliminates the chances of potential data breaches causing reputational damage, embarrassment and loss of trust.

What’s more, Atala PRISM allows enterprises to instantly onboard new customers with reusable KYC credentials. This immediate verification means fewer scams, as well as reduced time and cost to authenticate customers. Providing automated, hassle-free user journeys around product/service registration and checkout ultimately results in maximized sales and reduced abandoned baskets.

To learn more about Atala PRISM and talk about the opportunity decentralized identity can bring to your business, contact us at business.development@iohk.io.

Spread the word