Several factors made the Equifax data breach particularly serious and costly – so could blockchain technology help make personal identity data more secure online?
This article on Knowledge@Wharton asks: After Equifax, can our data ever be safe? It's a question that millions of Americans might be asking themselves right now. Unfortunately it's not a matter of picking a new password online, as the data accessed in the Equifax breach include names, social security numbers (SSNs), birth dates, addresses and driver's licence numbers – none of which can be easily changed.
'Most serious data breach we've ever had'
The data breach affected the personal details of 143 million Americans in May-June this year (it was Equifax's second cyber attack this year following one in March) but news of the fraud didn't hit the news until September. At least 400,000 Britons were also affected (some reports have estimated this figure could be as high as 44 million) as well as 100,000 Canadians. The breach at Equifax – an Atlanta-based consumer credit reporting agency used by banks and credit lending companies – is not the biggest but is one of the most serious cybersecurity crimes of recent times due to the sensitivity of the data that was hacked. Wharton professor Gerald Faulhaber calls it “quite possibly the most serious data breach we’ve ever had in terms of its potential cost.” The breach has cost Equifax's chief information officer and chief security officer their jobs and, according to Faulhaber, could cost consumers billions of dollars over the next decade.
A growing data problem
What made the Equifax breach so bad? Apparently Equifax held personal consumer data all in one place. Decentralising the storage of sensitive data might be one of the basic rules of making a system more secure and attack-proof. Unfortunately, that data was also extremely sensitive, as SSNs are difficult to change in the US and are used as identifiers in a wide range of situations. Added to that, data breaches are in any case becoming more common in the US – according to the Identity Theft Resource Center, the number of data breaches in America in the first half of 2017 is up 29 per cent on last year and is on track to rack up 1,500 attacks by the end of the year.
Is blockchain the answer?
But it seems there is a potential answer to this growing problem: cryptography. Wharton professor Kevin Werbach said: “Ultimately, the solution is what’s called self-sovereign identity. It’s possible to build identity systems today that are decentralized yet secure and verifiable, based on cryptography.”
The article in Knowledge@Wharton explains that in this system, people can control their own data, rather than it being controlled by a central authority such as the federal government. Individuals can choose to provide the data (their self-sovereign identity) to businesses, agencies and others for verification. The identifying data can reside in a virtual wallet, which can be unlocked by the individual’s public ID number and a private key, which could be a sequence of random numbers generated by the user.
So technology – specifically distributed ledger technology – could provide an attractive solution to the world's increasing identity/data security problem. Werbach says there are several initiatives currently under development to create a self-sovereign identity system – from the Sovrin Foundation and Hyperledger Foundation. Hyperledger's Indy, for example, supports independent identity on distributed ledgers. The project addresses the problem of there being too much personal data now readily available online, as well as stored data accessible to hackers through data breaches. Werbach explains: “It uses the blockchain’s distributed ledger technology as a platform for these identities. Importantly, personal information is never written to the ledger; rather, parties exchange data through encrypted, peer-to-peer connections. The platform uses open standards so it can work with other distributed ledgers.”
Stiffer penalties for companies
Another Wharton professor, Gad Allon, underlines that the technology in itself is not enough. There is a need for governments to engage with this by passing tougher cybersecurity laws and penalties, and for companies to ensure they protect customer data more securely. Allon calls for companies to face tough penalties if they fail to protect customer data and for there to be a timeframe under which companies must declare the data breach. He said: “The penalty for firms has to be heavier. We should also have specific regulations about who has the liability in these cases and how quickly firms should admit [they have been hacked]. We see more and more situations where firms only acknowledge these things months after they happen.… This is why people have to go to jail for these things.”
CTMfile take: The EU's General Data Protection Regulation (GDPR) goes some way to address some of the concerns outlined by Wharton professor Gad Allon. As of May 2018, companies will have 72 hours to disclose any serious data breaches to the relevant authorities and to the individual concerned. They will also face stiff penalties of four per cent of annual global turnover or €20 million, whichever is greater, for failing to comply with the GDPR's rules on protecting consumer data.
Like this item? Get our Weekly Update newsletter. Subscribe today