While all companies and people must share data to access and improve the goods and services that carry us through life, that doesn’t mean we must give up our privacy. We understand that breaches have become inevitable, as bad actors just need to find a single weak point in a complex system. But why should that mean that our sensitive information has to remain at constant risk?
It should not. And yet, the recent Cyberserve breach by Iranian-linked Black Shadow demonstrates once again that no one should assume that their confidential information is safe, even in the hands of seemingly trustworthy people. By breaching Tel Aviv data hosting company Cyberserve, Black Shadow gained access to sensitive personal information held by a number of Cyberserve customers — most notably, the highly-sensitive information held by Atraf, an LGBTQ dating platform similar to Tinder or OK Cupid.
Black Shadow demanded a $1 million ransom payment from Cyberserve, and when the hackers did not receive payment, they released names, health information, including HIV status, and sexual orientation of Atraf customers — presumably including people who haven’t officially come out of the closet. A few days later, they released even more personal information on Atraf customers.
The database released was packed with personal information and detailed identifiers (full names, emails and phone numbers) and highly-sensitive information about their users (sex, sexual preference, marital status and health concerns). To appreciate the scope of this leak, consider that Atraf’s database features over 100 organized columns detailing different user properties.
Atraf needs this personal information to run its service. And it’s safe to assume that users of the service assumed their privacy was protected and they were unaware of (or intentionally ignoring) the risk they were taking.
Who’s responsible in this case?
The answer is both: Cyberserve for having inadequate perimeter protection, letting Black Shadow into the cyber premises. And Atraf, for failing to exercise industry-recognized, relatively basic protection for its customer privacy. Let’s focus on Atraf and privacy.
Atraf could have used tokenization to depersonalize the data they hold on their customers, rendering it useless to hackers and blackmailers by separating the data tables of personally identifiable information (PII) from the real identities of the people it describes. Tokenization has become integral to pseudonymization, the best practice of reducing the privacy risk of data-sets to zero by scrubbing them of PII. Of the more than 120 properties Atraf stored on each user, segregating merely 10 key identifiers would have done the trick and kept all this information private.
Tokenization substitutes sensitive information with equivalent non-sensitive information. The non-sensitive, replacement information, called a token, gets created using cryptography, a hash function, or a randomly generated index identifier. The token exists in the database, and the PII personally that it replaces gets stored in a tightly-controlled and monitored dedicated server.
This is hardly a revolutionary idea — regulations like GDPR and CCPA have been recommending pseudonymization for years. So why aren’t companies complying, particularly new, born-on-the-web companies that can incorporate privacy into the design of their service from the start? It’s a question those in the industry should ask more often, particularly considering the persistent leakage of health records, credit card data, government IDs like social security numbers, and myriad details of our personal lives.
It’s true that systems of many organizations were built without privacy in mind. PII and other sensitive information have been mixed in and lost with the rest of an organization’s non-sensitive data and copied and replicated across many systems and databases. In this situation, it’s almost unfeasible to regain control over this scattered information and protect customers privacy.
I understand it’s a daunting effort to retrofit privacy protections into massive databases. But with the cloud and advances in privacy engineering, it can get done. We should not have to give up our expectation of privacy to participate in the modern, cyber world.
Ariel Shiftan, chief technology officer, Piiano