Breached But Still Protected
Data Privacy on Fire
We’re still seeing data breach headlines burning across news outlets and social media, fast and hot:
- The Equifax Breach was Entirely Preventable – Wired
- States Investigate Experian Data Breach – Krebs on Security
- ‘Heartbleed’ Bug in OpenSSL Exposes Millions of Online Passwords – Reuters
- Millions of Target Customers’ Credit, Debit Card Accounts May Be Hit by Data Breach – NBC News
- Neiman Marcus Data Breach Worse Than First Said – New York Times
- Retailers Hit by Credit-Data Breach Smaller Than Target’s – Bloomberg News
And the fire burns on. From employment files in a Tennessee school district to millions of customer’s credit cards or other personal data nationwide, there is only one commonality among all these events: there are criminals willing (and apparently, able) to find as many ways as possible to access personally identifiable information (PII).
According to PC World, “there are a few factors that combine to fuel this trend. First, credit card data and related customer information are a goldmine for attackers. The information can be used to clone credit cards, and the associated personal details may be useful for additional credit fraud and identity theft.”
The article Retailer Data Breach Trend Not Likely to End Soon focuses on just what happens in the retail and restaurant industry. However, these incidents are not confined to those sectors, and occur in BFSI, healthcare, educational institutions, and government. So for a problem that is so rampant, what’s being done to better protect consumer data?
From the standpoints of consumers trying to protect their privacy and corporations maintaining their data, the most common defenses are prevention, detection, and remediation. But the reality is things are getting worse, not better. If you’re not sure, look at the PRC’s Chronology of Data Breaches.
Let it Burn?
IRI has a different strategy – breach nullification. Yes, of course do everything you can to prevent access to the data. Secure the network with firewalls, sniffers, appliances, and by all means lock down your databases and devices.
But at the end of the day, if the thieves finally do get access to that data at rest, is all lost? We say no. What the PII columns or values in your data sources were already masked with granular protection functions (much less one that you could keep changing)? It’s much harder to identify or impersonate a consumer from an exposed record (even if just one column were decrypted) when their associated data have their own encryption, redaction, hashing, tokenization, or other concealment function applied … functions the same thief cannot readily reverse. Decryption keys can differentiated or even “scattered to the wind” this way too; i.e., even if they got one, they’d still need a lot more than one to mine the gold.
The point is, targeted and consistent data masking functions that you choose to apply to key (and quasi-) identifiers can nullify, or at least, retard, the fire damage from a data breach. Take a look at the tools in the IRI Data Protector Suite that are designed to mitigate data breaches, comply with data privacy laws, and serve up test data. Then, tell us about your use case, and we’ll help you prototype a solution to protect the consumer, patient, student, or secret data that you keep.
[…] nullification – any misappropriated data is already […]