What steps are taken to keep my data private, and why did they fail?
As Optus weathers the fallout from the damaging data breach that exposed the personal details of 9.8 million customers, questions have been raised about how protected the data was to begin with.
So, how do companies protect the information of their customers?
Let’s start with the basics: Personal identifiable information or PII, refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.
Optus is in damage control over a major data breach that included personal details of more than 10 million Australians.Credit:Aresna Villanueva
When any sensitive data is stored digitally, it has become common practice to encrypt that information.
What is encryption?
The easiest way to imagine encryption like a box with a lock, says Damien Manuel, chairperson of the Australian Information Security Association.
Data is put into that box. It’s then locked, and only the people who have the algorithms, or keys, can decrypt that information, or unlock that box.
The key to unlocking this box is with an algorithm or piece of code. “Without that key, that data is essentially gobbledygook,” Bastien Treptel, founder of cybersecurity services, CRTL Group said.
Is encryption effective at protecting data?
If it’s done well, yes.
“There’s a cost that the business bears because the more time you encrypt data, the more places you encrypt, the more complex it becomes to manage,” says Manuel.
In 2019, tech company Canva dealt with Australia’s biggest hack: 139 million users’ data was stolen from the company’s system. But unlike Optus, none of the data was usable.
“Yes, it was bad that Canva was breached, but the system was encrypted so they couldn’t get the information out of that stolen data,” said Treptel.
Can encrypted data ever be unencrypted?
If encrypted data falls into the hands of someone who shouldn’t have access to it, it is possible – although unlikely – that they can ‘unlock’ the encryption to make sense of the data.
This is because as technology advances, specific algorithms or techniques used to encrypt data become defunct.
“The gold standard of cryptography a decade ago is no longer acceptable. You wouldn’t even entertain using it,” said Haskell-Dowland, professor of cybersecurity practice at Edith Cowan University.
The problem is, some organisations may not have updated the encryption methods they used when they originally stored a data set, making that data easier to unlock.
Was the Optus data encrypted?
So far, there has been no concrete explanation to how the data breach occurred. Optus chief executive Kelly Bayer Rosmarin told ABC radio on Tuesday that the hack was a “sophisticated attack that penetrated multiple security layers.”
But experts have two theories on how the data was accessed: The first was that while the data was encrypted, Optus used either old and outdated encryption methods, or there were many people who had access to the interface where the data was stored.
The other alternative is that the data was not encrypted on the interface, which Optus denies.
“It is not the case of having some sort of completely exposed API sitting there”, Bayer Rosmarin said.
But before that, let’s look at where this data was stored: known as an API.
What is an API?
An API, or Application Programming Interface, is a piece of software that allows information to be sent and received between two parties. Instead of having to encrypt and then decrypt the data between those two parties, users can access the API instead.
“We might use an API between two systems where there is a level of trust between them,” Haskell-Dowland said. “This is all perfectly secure because it’s a direct connection from one system to another … They’re heavily restricted and protected – you’ve got all the security controls wrapped around it.”
But, let’s say that there’s a development team working on a new product, and are given access to this API. Suddenly, there are many groups with access to the API, which means there are more chances for the data to be left unlocked.
“The danger lies when you create an API, and then you open up to the internet and that information becomes accessible by people that you don’t want it to be accessed by.” Haskell-Dowland said.
What lessons are we taking away from how is stored?
Regardless of how the data was breached, experts in the fields say that it is in the interest of both organisations and consumers to reduce the amount of personal information that’s being stored on a company’s internal server.
“In the past, everybody used to think ‘the more data I have, the better off I am’ because you might get some insights, and even monetise that data in some way or give better customer service,” Manuel said.
“We should be thinking of the more data you have, the higher your risk,” he said. “The message should be only collect the data that you need for the purpose that you need.”
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.
Most Viewed in Business
From our partners
Source: Read Full Article