The recent enormous data breach of Starwood Hotels & Resorts, a Marriot International company, is yet another example of a corporation that could have avoided compromising their customers and themselves, by implementing a distributed-ledger system. Even though exposing names, addresses, phone numbers, email addresses, passport, birthday, credit card, and reservation information for 500 million customers is extraordinary, Marriot is not at all unique in being woefully slow to adopt a solution whereby gaining access to an entire database would no longer be possible.
The images included in this article are from a presentation of a Secure Block Technologies cyber-attack research project. The group reviewed breach announcements listed on Hackmageddon.com and other supporting articles, for the first half of 2018. We highlighted scenarios that could have been prevented, or at least mitigated, if blockchain systems were in place.
Most of the incidents involved the exposure of sensitive information, such as birthdays, addresses, phone numbers, identifiers like Social Security, Medicare identification, or passport numbers. In many cases, credit card, banking, or other financial information was involved. Astonishingly, some cases exposed plain-text passwords and/or password hints. Healthcare-related entities seem to be frequent targets, and in most cases, the compromised data exposed diagnosis and treatment information.
A large number of phishing and email account attacks were not included in these SBT highlights. Even though a well-designed blockchain system could remove the need for staff to use email to exchange large amounts of business data, they were excluded to a large extent because there were so many incidents. We also considered that lax practices stemming from bad business awareness and poor training are a major contributing factor. It is shocking how many of these breaches involved the emailing of large amounts of patient health data. Maybe laziness, indifference, and/or good-old stupidity are also to blame.
The main trend in the highlighted security breaches were scenarios where unauthorized access to internal / central systems occurred. Typically, once the hackers were in, there was little to stop them from seeing and doing what they wanted, and no way to know for sure what they did. It’s inevitable that accounts and networks are thwarted by security holes, phishing, malware, or social engineering attacks. One of the great benefits to a blockchain environment, is that even when the enemy gets inside the castle, most or all of a business’s data is still secure.
A large advantage to implementing distributed-ledger environments is that all of the data is encrypted. Additionally, access to information and transactions are restricted according to the needs of the accounts involved in business activities. This is significant, because there are no developers nor administrators with god-like access as are found in most database environments. Implemented properly, a distributed-ledger system makes it impossible to grab enormous chunks of data.
In upcoming postings, SBT will review specific aspects regarding how blockchain could have limited or prevented the damage in these situations.