Data Privacy on Fire
We’re still seeing data breach headlines burning across news outlets and social media, fast and hot:
- The Equifax Breach was Entirely Preventable – Wired
- States Investigate Experian Data Breach – Krebs on Security
- ‘Heartbleed’ Bug in OpenSSL Exposes Millions of Online Passwords – Reuters
- Millions of Target Customers’ Credit, Debit Card Accounts May Be Hit by Data Breach – NBC News
- Neiman Marcus Data Breach Worse Than First Said – New York Times
- Retailers Hit by Credit-Data Breach Smaller Than Target’s – Bloomberg News
And the fire burns on. From employment files in a Tennessee school district to millions of customer’s credit cards or other personal data nationwide, there is only one commonality among all these events: there are criminals willing (and apparently, able) to find as many ways as possible to access personally identifiable information (PII).
According to PC World, “there are a few factors that combine to fuel this trend. First, credit card data and related customer information are a goldmine for attackers. The information can be used to clone credit cards, and the associated personal details may be useful for additional credit fraud and identity theft.”
The article Retailer Data Breach Trend Not Likely to End Soon focuses on just what happens in the retail and restaurant industry. However, these incidents are not confined to those sectors, and occur in BFSI, healthcare, educational institutions, and government. So for a problem that is so rampant, what’s being done to better protect consumer data?
From the standpoints of consumers trying to protect their privacy and corporations maintaining their data, the most common defenses are prevention, detection, and remediation. But the reality is things are getting worse, not better. If you’re not sure, look at the PRC’s Chronology of Data Breaches.
Let it Burn?
IRI has a different strategy – breach nullification. Yes, of course do everything you can to prevent access to the data. Secure the network with firewalls, sniffers, appliances, and by all means lock down your databases and devices.
But at the end of the day, if the thieves finally do get access to that data at rest, is all lost? We say no. What if each PII column or field in your data sources had its own protection method (much less one that you could keep changing)? It’s much harder to fully identify a consumer from an exposed record (even if just one column were decrypted) because all the other columns can still have their own encryption, masking, hashing, tokenization, or other concealment function … functions the same thief cannot readily reverse. Decryption keys can be “scattered to the wind” this way too; i.e., they’ll need a lot more than one to mine the gold.
The point is, targeted and granular data masking functions that you choose to apply to key identifiers can nullify, or at least, retard, the fire damage from a data breach. Take a look at IRI FieldShield software and let us know what you think the additional role data masking plays in consumer (and patient) data privacy protection.