One Single Technology Could Have Prevented All the Biggest Data Breaches in the Past Year

If you’ve followed the news in the last year, you have probably heard about at least one major data breach exposing the information of millions of Americans. In 2017, there were a record-breaking 1,579 reported data breaches, a 44.7% increase over the numbers reported in 2016 (which was also a record-breaking year).

This explosive growth in the number of reported breaches each year clearly points to an issue in how personal data is collected and stored by organizations and corporations. To address this issue, we have examined the biggest four data breaches reported in 2017 and identified commonalities between the company‘s handling of data that led to the breach. A single technology, edge security could have prevented all four of these breaches and the majority of the other 1,574.

The Big Four

When discussing the big data breaches of 2017, four quickly come to mind: Equifax, Deep Root Analytics, Uber, and Yahoo. In all four cases, a company trusted with personal information failed to properly secure it, leading to its exposure when their systems were breached.

Equifax

When asked about the biggest data breach of 2017, most people‘s minds go directly to Equifax. The credit monitoring company discovered in July 2017 that a hacker had gained access to their systems in May 2017 and had access through July 2017. Initially, Equifax reported that 143 million people were affected, but later increased this number by 2.4 million. Stolen information included names, Social Security Numbers, addresses and birthdates for all affected people and credit card information for 209,000 Americans.

Deep Root Analytics (RNC)

Deep Root Analytics is a data analysis firm hired by the Republican National Committee to perform large-scale data collection and mining on American voters. Results included probable positions of voters on big issues like abortion, gun control, school vouchers, etc. and is intended to help target campaigns toward the most receptive voters.

The Deep Root Analytics breach is unique among the four studied here because no-one needed to hack into their systems to access their sensitive data. Deep Root Analytics stored about 25 terabytes of voter data on an improperly secured S3 bucket, a form of cloud storage provided by Amazon. This cloud storage was available without password protection so anyone who could find the proper web address could access and download the data. This unprotected database included data on approximately 198 million voters, roughly half of the American population, and included names and addresses as well as estimated voter positions on big issues.

Uber

Unlike the previous two breaches, the Uber breach didn’t actually happen in 2017; that’s just when the breach became public. In late 2016, a hacker gained access to Uber’s systems and stole personal information including the names, email addresses, and phone numbers of 57 million users and driver’s license numbers of 60,000 US Uber drivers. Rather than disclose the breach (as is required by law in Uber’s home state of California), Uber paid the hacker $100,000 in return for assurances that the data would be destroyed. To cover up the payment, it was claimed to be part of a bug bounty program where a company pays hackers to identify and ethically disclose vulnerabilities to them. The breach was finally made public over a year later in November 2017 by the new CEO of Uber, who has apparently only learned of it in August of that year.

Yahoo

Continuing in the vein of the public learning the details of a breach long after it occurs is the Yahoo breach. In 2016, Yahoo discovered evidence that it had been breached, resulting in the exposure of account information for approximately 1 billion of its users. However, this breach actually occurred in 2013. In 2017, Yahoo was acquired by Verizon, and, shortly after the acquisition, the number of affected accounts jumped from 1 billion to 3 billion (all of them). Breached information included the names, email addresses, and passwords of everyone with a Yahoo email account.

Preventing Data Breaches

While all of these breaches affected companies in different industries (financial, politics, service, and technology) and occurred at different times, they all have one thing in common. In all cases, an organization collected a large amount of personal information and stored it all in a central server. This created a single, irresistible target for a hacker; by gaining access to a single database and the information necessary to decrypt its contents (if encryption was enabled at all), a hacker gained instant access to valuable personal data of millions of people.

As long as organizations continue to create these massive repositories of valuable information, data breaches will continue to happen. By implementing one simple technology, edge security, companies can remove the risk of a future breach of valuable customer data.

Edge Security: Preventing Data Breaches

Edge security is a new data storage paradigm in which information is encrypted by the users before ever reaching the organization’s network. If customers’ personal data is encrypted and an organization does not have access to the decryption keys, there is no way for an attacker to breach a company’s network and instantly gain access to all of the data. Data breaches would be a thing of the past since they would result in the hacker gaining little or nothing of value.

For the majority of companies, a user’s personal information is primarily used to verify that a visitor to a website is actually who they claim to be. To accomplish this, companies store the email address (or username) and a hash of the password of the affected user. The user provides their email address (or username) and their password to the website, and the website verifies that the password matches the one on file for the provided email address (or username).

In this scheme, an attacker gains two pieces of useful information from a breach of the company database: the email address of a client of the company and the hash of the user’s password. As many people reuse the same password for different accounts, by learning this combination for one site, the attacker may be able to gain access to more valuable accounts on other sites (banking, e-commerce, etc.) if they manage to crack the password.

If a company implemented edge security, the attacker would gain neither of these pieces of information. When creating an account, a company’s site could be configured to accept an email address and password as input. On the user’s computer, the browser would calculate the hash of the email address and then calculate the combination of this hash and the user’s selected password and send these hashes to the company to be stored in their database. When a user wishes to log into the site, they provide their email address and password and their browser computes the hashes and sends them to the company for verification. Since the input of a hash function cannot be learned from the output, someone must know the user’s email address and password to generate the correct combination of hashes, and a breach of the database reveals nothing but a large number of hash pairs. This allows a company to protect access to a user’s account while putting none of the user’s personal information at risk of a breach.