In an era where data breaches, ransomware, and other cyber threats are becoming increasingly sophisticated, traditional methods of protecting data, PII, and other sensitive details are proving inadequate.

Decades ago, neither HTTP nor email were encrypted, yet we would never dream of sending any form of communication today without security. Encrypting data at rest was “unnecessary” when you trusted your firewall to keep the bad guys out. How times have changed.

The current landscape shows a disturbing rise in data breaches and ransomware attacks, which are becoming more frequent, damaging, and costly. The financial and reputational costs to businesses are enormous, while consumers suffer from the loss of privacy, trust, and exposure to fraud. Breakout times (The first lateral movement during a breach) are at an all-time low, and with the added weapon of AI-driven ransomware, they are set to trend lower still.

Other emerging, malware free approaches, like deepfake banking attacks raise the bar further, and are expected to rapidly increase fraud losses in the next few years. It was only a couple of years ago that banks started silently authenticating clients over the phone via voice recognition, and now, that is exploitable too…

Attack Prevalence

Breaches and ransomware not only affect larger players. In Alberta, 51% of small and medium businesses were attacked by cybercriminals in 2023, with 55% paying a ransom in the past three years (2020-2023).

Additionally, 65% of these businesses have legacy systems that make them vulnerable, and only 44% are planning to prioritize cybersecurity. Alarmingly, 53% do not have a plan to address potential ransomware attacks should they occur.

Even if all the legacy systems were upgraded—a costly endeavor—new vulnerabilities will always emerge. Today, it is not a matter of if, but when a breach will occur.

Traditionally, major improvements in data protection have been reactive, focusing on mitigating damage after a breach occurs. However, with the increasing sophistication of cyberattacks, this approach is no longer sufficient. It often takes weeks or even months to fully understand the scope of a breach.

LastPass Breach – a Cautionary Tale for Lack of Observability

The Lastpass breach in 2022 is a great example. Here is a high level timeline of the investigations findings.

August 25th, 2022

“Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.”

September 15th, 2022

“Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults.”

November 30th, 2022

“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information…(snip)…We are working diligently to understand the scope of the incident and identify what specific information has been accessed.”

December 22nd, 2022

“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.”

We can see that in the post-breach-investigation, their findings go from “someone got into dev, but nothing else” in August, to “yeah, they stole customer vaults” in December. That’s four plus months just to figure out how bad it was. That is pretty normal where there is no unified observability solution, and that is the case for many organizations.

While there are multiple emerging vendor solutions addressing observability, these are still reactive solutions. How doe we get ahead of the attackers? How do we keep data from getting breached in the first place?

We need to completely rethink how we handle PII and other sensitive data, and we need to do it fast.

If we could go back to the first e-commerce transactions in the early 1990’s, I would propose a system where we did not enter the PII and payment details to begin with…

By doing so we can defeat a multitude of attack techniques such as MITM, Credential Stuffing, Password Spraying, Pass-the-Hash, keyloggers, while also reducing instances of fraud such as identity theft, imposter and payment scams.

But how would we ever complete a transaction? How would payment and shipping details be shared?

Well, first of all, we’ve had security tools like PGPand GPG since the 1990’s, and AES since 2001. I would argue that there is no good reason to not create a model where you do not physically, and repetitively, type in sensitive details and PII.

Enter – The Data Privacy Revolution

A new (patent pending) solution that will fill a gap in the consumer protection space by providing a consumer-focused platform that enables users to secure their PII (name, address, email,
credit card, social ins/security number, drivers license, etc) and even create multiple merchant specific profiles.

Your data never leaves your device. Instead, unique transactional tokens are generated on demand that act as placeholders. These “placeholders” are shared with merchants in the e-commerce setting, and can be validated against the solutions’ API.

Not only does your personal information never leave your device, it is never stored with the merchant, and never later exposed in a data breach/leak.

Additionally, auditing and monitoring system will provide valuable insight into merchant behavior, promoting accountability, and fostering a trusted ecosystem. This system incentivizes merchants to adhere to best practices through detailed audit logs and trust scores based on data handling practices and user feedback.

Consumers can also greatly benefit from this ecosystem by updates and alerts should activity occur without their consent. Users can opt in to ensure transactions cannot be processed without their tokens and consent.

Naturally, you probably have a few logistical and operational questions at this point. Further details and demos will be coming soon.

*** This is a Security Bloggers Network syndicated blog from Berry Networks authored by David Michael Berry. Read the original post at: https://berry-networks.com/2024/06/18/the-data-privacy-revolution/