Data has proven to be a blessing and a curse. At its best, data helps a company to see in the dark, to identify patterns and trends that were previously invisible, and to treat individual customers as if they’re the brand’s best friends.

At its worst, data leaks out of a secure environment, causing those customers grief, stress or financial loss, resulting in significant financial penalties both from regulators and in the form of a share price drop, and quickly destroying hard-earned market reputation and trust.

Data breaches such as theft and leaks are so commonplace that they are now expected, says Dr Eric Lim, senior lecturer in the School of Information Systems and Technology Management at the University of New South Wales.

“I strongly believe, based on the evidence that we have seen so far, the measures that a lot of companies have taken don’t seem to be working. Over time, we see companies being compromised almost like clockwork,” Lim, also founder and director of UNSW Crypto Clinic, says.

“Because of the fact that businesses keep most of their data in a centralised database, once they get hacked all of the data will be leaked. The consequences are dire.”

The list of recent breached businesses is long and contains numerous names of the nation’s, and some of the world’s, best-known brands – Optus, Telstra, Woolworths, Medibank, Microsoft, Australian Federal Police, Harcourts, LJ Hooker, the State Revenue Office of Victoria, TPG Telecom, Bunnings, Canva, Latitude Financial, and so many more.

“We have tried this method for a long time and it doesn’t seem to work,” Lim says. “So perhaps we can start a conversation about trying a different way of storing and securing data.”

Data management: A better way

The first question managers should ask, Lim says, is whether they need all of their customer data in one, centralised database.

Marketing of various technology solutions has often pointed to the benefits of a single source of data truth. But that may also be what is causing the downsides in data management.

“If you’re going to consolidate massive amounts of data in one place, in a centralised solution, you’re going to attract a lot of attackers,” Lim says.

“You’ve created a treasure trove, and most attackers are going to focus all their attention on attacking that treasure trove. They’ll eventually find a way in, because centralised solutions are only as strong as their weakest link.”

Lim says decentralisation, potentially offered by blockchain technology, offers a way for attacks to be stopped.

Rather than creating an “alluring honeypot”, Lim says, businesses could encourage employees and customers to hold their own data on a public blockchain. This would decentralise the database.

Decentralised identity (DID), Lim explained in a recent paper, “has a well-defined standard based on the World Wide Web Consortium (W3C) as a ‘new type of identifier that enables verifiable, decentralised digital identity … In contrast to typical, federated identifiers, DIDs have been designed so that they may be decoupled from centralised registries, identity providers and certificate authorities’.”

Lim explains: “Individuals can first create a pointer on the blockchain. The pointer is your public address for a particular transaction.

“If you see this public address on the blockchain, the owner of this address can easily prove ownership of this public address through a digital signature created using the owner’s private key using mathematics and cryptography. The pointer contains no personal information.”

In this solution, individuals hold on their own device such as a phone or computer all of the various pieces of information, known as credentials, relating to their identity, including economic, health and other private data such as passports and licences, etc.

These credentials, when they are utilised for any commercial or administrative matters, could be signed with the individual’s private key to create an exclusive and mathematically verifiable digital signature. These digital signatures do not contain the private key and are unique to the specific instance for utilising the credential.

If anybody but the owner attempts to hijack the owner’s credentials or pose as the owner, they won’t be able to create a valid digital signature that will match up with the owner’s public address.

“So, they can’t open a bank account in my name or spend money on my credit card using my digital credentials, even if they managed to get hold of them, because they don’t have my private key and can’t create a valid digital signature,” Lim says. “They also can’t pass on a previous digital signature from a previous instantiation of a transaction, because it is only valid for that particular transaction.”

De-identifying data held by businesses

Much of the data held by businesses doesn’t actually need to be identifiable to a specific individual, says Dr Hassan Jameel Asghar, Senior Lecturer in Computer Science at Macquarie University’s School of Computing.

Consider the data that is meant to be released publicly, as opposed to data that is hacked and then released.

“Public data sets are treated to ensure the data remains useful, but doesn’t lead to re-identification of people’s identities,” Asghar says.

Data released by the Australian Bureau of Statistics, for example, is de-identified but still useful in that it shows local trends and patterns.

Can de-identification be used by businesses to reduce the risk inherent in holding data? Absolutely, Asghar says, but only in certain situations.

“If a business wants to customise experiences for particular individuals, they likely need to access that individual’s data,” he says.

For example, Asghar says, if a pet store wants to know if a customer has a cat or a dog, they will need data relating to that individual.

“For any data that does not require tracking one particular individual – if you’re interested in whether people who come to your store are more interested in dogs or cats – you can treat that data so you can still see statistics across groups and regions,” he says. “But the de-identification needs to be done in a principled way.”

In other words, de-identification is not straightforward. It requires technical expertise, Asghar says, as does the encryption of data sets, which is another security mechanism.

But when weighed up against the likely damage caused by a data breach, the effort and expense is easily justified.

Where does an organisation begin?

Asghar says businesses should consider what identifying data they require, and which business processes could run just as efficiently – and far more safely – with de-identified, aggregated data.

“Some data needs to be accessed regularly, but how can we treat that data in a way that protects the privacy of individuals?” Asghar asks.

Often it’s a question of utility, he says.

“The potential of the original database is minimised when the data is de-identified,” Asghar says. “In many cases, once you process the data to a more privacy-friendly format, you don’t get as much utility as you would get from the original data. But how much does that really matter to your processes?”

Many organisations store customer data as a matter of course, often without yet knowing what they might do with it. When that data is breached, the fallout is dramatically worse than if the data had been de-identified.

Businesses must be familiar with the data they’re storing and its purpose, Lim says.

“If they got rid of much of the data, would it make business sense?” Lim asks.

“Maybe it would, when you consider the liability the business has when that data is hacked.”


Excerpt from article from the Public Accountant, reported by Chris Sheedy, read the full article here