A World With No Data Breaches: Is It Even Possible?
Frances Zelazny
Co-Founder & CEO, Anonybit | Strategic Advisor | Startups and Scaleups | Enterprise SaaS | Marketing, Business Development, Strategy | CHIEF | Women in Fintech Power List 100 | SIA Women in Security Forum Power 100
On July 6, Marriott, the multinational hotel franchise, announced a second staggering data breach since just the beginning of this year. This incident can be traced back to June, when a Marriott employee fell victim to a social engineering scheme posed by an unnamed group of hackers. With this misstep, the group quickly gained access to the employee’s computer, opening the gates for them to steal roughly 20 GB of personal data––some of which included credit card information, confidential business documents, and customer payment information.
If two massive data breaches in 6 months alone don’t illuminate some serious lapses in security infrastructure on a company-wide scale, Marriott’s weathered history of breaches sure does. In early February 2020, Marriott hotels endured a reputation-damaging breach that exposed the personal information of approximately 5.2 million guests. Just two years prior, an even more harrowing incident occurred in which the personal information of 339 million guests may have been compromised. Despite the devastating fallout of both of these breaches––including a $21.8m fine imposed by the U.K.’s Information Commissioner's Office (ICO) following the 2018 attacks––Marriott acknowledged that its security measures had been improved but still left millions of customers vulnerable without implementing the appropriate safeguards.?
Marriott is not alone and should not be singled out.
While the scale of these cyberattacks certainly varies, this narrative is one that we’ve heard many times before: corporations are tapped for access to sensitive information, compromising their operations, reputation, and in some cases, longevity. Hackers capitalize on this stolen information, impersonating individuals, breaching accounts, and selling this personally identifiable information (PII) on the Dark World Web to underpin a $16.1 trillion economy. Endless amounts of information exists there––from personal to financial to online account login data––and the Dark Web is the perfect environment to transact this information.?
In referencing the PrivacyAffair’s Dark Web Price Index, leaked information collected from various data breaches can be found for sale at bargain prices. For example, a duplicated credit card may be available for just $20; a PayPal account could cost $150 depending on the available credit; and a Gmail account, just $65. On the Dark Web, hackers have the ability to piece together bits of data scavenged from different breaches in order to craft mature profiles. From here, these cybercriminals have an easier time taking over even more personal accounts.
On the Surface Web, or the accessible World Wide Web, users and/or vulnerable security infrastructures grant access to accounts using this personal information, allowing cybercriminals unfettered access to corporate networks,, bank accounts, implanting ransomware and so much more. Over the past decade, the number of data breaches per year has dramatically risen from a mere 662 in 2010 to over 1,000 by 2021––and these data breaches are only becoming more and more dangerous.
The fact is, so long as the data has value and utility, the breaches will continue. Cybercrime is a big business: in 2021 alone, identity fraud losses tallied a total of $56 billion, and the cost of all cybercrime is predicted to hit $10.5 trillion by 2025.?
As terrifying as these numbers are, it’s beneficial to note the root cause of the situation:?
领英推荐
The Emergence of PII Vaults
To end the cycle, address these two root causes. Doing one without the other is not enough.
Personal data must be secured in such a way that even insiders do not have access to central repositories. New types of data vaults are emerging to address the weak links in maintaining and securing personal data. They generally utilize encryption, tokenization, masking, and other privacy-preserving technologies, combined with privileged access management and data governance tools. But oftentimes the data is still centralized, there is still a reliance on tokens that need to be managed and access is still via weak authenticators.?
So the idea is correct - we should separate out personal data from other repositories, but we should be careful that we are not in the process, creating an even easier, focused target for attackers having that data in a single dedicated environment. The answer lies in next generation decentralization technologies that can handle all different data types and make sure that the data access is protected with user biometrics.?
The number of data breaches tells us the amount of personal data that is out there for grabs. Think about images, demographic, biographic, financial, healthcare and many other personal data types that need to be protected. If we can ensure that they are out of reach of attackers and we lessen our dependencies on weak authenticators, it is possible to get out of the dangerous cycle we find ourselves in.
This will require serious intervention from cybersecurity professionals and commitment from government agencies, corporations and non-profits alike (all have been breached) to treat personal data with a sense of corporate responsibility like they do the environment. Regulatory compliance is not enough. Decentralization technologies and strong authentication mechanisms are available. There is no excuse for anyone not to act.?
Certified Fraud Examiner
2 年Thanks for sharing!
MIT Alum | Engineer | Cybersecurity?? | Cloud | AI | ESG | Founder & IPO | TEDx | CRN Channel ??| CEFCYS CYBER??
2 年Thank you for posting - crazy repeat incident. The first was blamed on the acquired company.