20 April, 2018
It may seem as if our data can’t hurt us. Most of us go years at a time without experiencing anything unusual. But with new and bigger breaches reported every year, it’s becoming increasingly clear that we are vulnerable. At the time of writing, Privacy Rights Clearinghouse has detailed 8,073 data breaches since 2005, including over 10.2 billion compromised records—and that’s just what has been made public. Hackers can access bank accounts, medical records, credit reports, usernames and passwords, and other private data, and can use it to inflict real damage on our financial, personal, and even social lives.
Blockchain technology offers new ways to handle the problems facing cybersecurity. The speed, transparency, and immutability of these cryptographically-secured distributed ledgers has made them an attractive solution for businesses and governments alike. As we reflect on the state of cybersecurity today, we consider how blockchain can be used to defend against the scourge of cyberattacks—but first, let’s take a look at some of the biggest hacks to date.
In December 2016, Yahoo disclosed that the data of more than 1 billion users had been obtained by hackers. This was the largest hack of its kind in history, and was more than double the scale of the 2014 attack on the company. According to The Guardian, compromised data “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers.” Yahoo believes the attacks are connected, and that they are part of a state-sponsored effort. Chief Information Officer Bob Lord says that the hackers used “forged ‘cookies,’” which allowed them to log into users’ accounts without passwords.
In reaction to the 2014 breach, six U.S. senators demanded to know when exactly the attack was first discovered. Vermont Senator Patrick Leahy added that they were “disturbed that user information was first compromised in 2014, yet the company only announced the breach [two years later].” The company notified users of the hack and asked them to change their passwords.
Several companies in the healthcare industry have also suffered cyberattacks, including Anthem, Community Health Systems, Inc., and Premera Blue Cross. In the case of Premera, hackers obtained the medical information, bank account numbers, SSNs, birth dates, and other data of 11 million customers. The majority of those affected were residents of Washington state employed by Starbucks, Amazon, and Microsoft. The attack began in 2014 and was disclosed in March 2015.
The Huffington Post reports that “[m]edical records are highly valuable on underground criminal exchanges where stolen data is sold because the information is not only highly confidential but can also be used to engage in insurance fraud.” Although there was no evidence that the illegally obtained data was improperly used, Premera hired cybersecurity firm FireEye, Inc. and was working with the FBI to get to the bottom of the breach.
Target was hacked on Black Friday 2013, which the discount retailer announced three weeks later. The data—including the names, credit and debit card numbers, and CVVs of 40 million customers—could be used to make card replicas, and many customers reported unauthorized ATM withdrawals. Security experts suspect that point-of-sale data was exploited, meaning hackers “either accessed the terminals where customers swiped credit cards or collected data as it moved from Target to credit card processors.”
Target responded by offering a free credit monitoring service, setting up a temporary hotline for affected customers, and issued a 10% store-wide discount on the weekend following the announcement. New York Senator Chuck Schumer called on the Consumer Financial Protection Bureau (CFPB) “to report on whether retailers should be required to encrypt customer data,” and Richard Blumenthal called for an FTC probe.
Avid Life Media, the parent company of extramarital affairs platform Ashley Madison, was attacked in the summer of 2015. The hack is thought to have been the work of a group or individual known as “Impact Team.” The purpose of the attack, according to Fortune, was retribution against Avid Life’s core mission to “arrange affairs between married individuals,” and to shed light on the “requirement that users pay $19 for the privilege of deleting all their information from the site (but, as it turns out, not all data was scrubbed).” 32 million profiles were compromised, and at least one man was blackmailed by a “Mr. X.” Avid Life has agreed to an $11.2 million settlement awarded to its users—about $3,500 per victim.
A relatively new form of hacking known as “ransomware” has taken the cybersecurity scene by storm, debuting around 2009. Most notorious is the 2017 WannaCry attack of systems across the globe perpetrated by North Korea. Ransomware attacks take over computer systems, bringing the organizations that depend on them to a halt until they agree to pay the desired sum for their release, usually in the form of the cryptocurrency bitcoin. Such attacks have become increasingly common, even featuring in an episode of Grey’s Anatomy.
The city of Atlanta is currently struggling through what The New York Times describes as “one of the most sustained and consequential cyberattacks ever mounted against a major American city.” The SamSam hacking group has made it impossible for residents to pay bills or tickets online, police have been unable to validate warrants and are forced to take reports by hand, and travellers passing through the Atlanta airport cannot access its free Wi-Fi. SamSam is demanding a ransom of $51,000 in bitcoin, which is much cheaper and easier than restoring access to locked systems via overthrowing the ransomware. The FBI discourages paying ransoms because there’s no guarantee of effectiveness, and doing so may even expose victims to further attacks.
Many of the cases detailed above involved vulnerabilities because data was stored in a central database—effectively serving as a one-stop-shop for hackers. But because the data stored on a blockchain is decentralized, the risk of a single-point exploitation is nonexistent. According to Forbes, “By leveraging a distributed ledger and taking away the risk of a single point of failure, blockchain technology provides end-to-end privacy and encryption while still ensuring convenience for its users.” In other words, there is no blockchain equivalent of Target’s credit card terminals that can be opened like the vault of a bank.
Blockchain can also help to reduce cyberattacks by doing away with the need for passwords. Human error is often responsible for the ease-of-access hackers enjoy. Alex Momot, founder of REMME, says that “no matter how much money a company spends on security, all these efforts are in vain, if customers and employees use passwords that are easy to crack or steal. Blockchain takes the responsibility for strong authentication, resolving the single point of attack at the same time.” Cryptographic keys make credentials much harder to steal.
The Pentagon and other arms of the United States military are putting blockchain to work, as well. Massive bureaucracies often waste valuable time and resources navigating back-office infrastructures, and they need a way to pare down without compromising security. CoinTelegraph reports that DARPA is experimenting with blockchain to decentralize portions of the Department of Defense’s operations: “‘Smart documents and contracts’ can be instantly and securely sent and received, thereby reducing exposure to hackers and needless delays in DoD back-office correspondence.” Smart contracts trim the fat off the edges and are nigh impenetrable, too.
The details of other consequential cyberattacks—Equifax, Uber, Bad Rabbit, Amazon—could fill countless hard drives. To address the human component, Privacy Rights Clearinghouse offers a series of useful guides to online safety and security. Other vulnerabilities can be dramatically improved by incorporating blockchain technology. Faster, broadly distributed, and cryptographically secure, blockchain offers enhanced measures for our most pressing cybersecurity needs.
Image via Pixabay.