Data breaches are one of the scariest things we can encounter in real life. Receiving an email letting you know your personal information has been taken is much more frightening than the Necronomicon or the Babadook.
Victims are left with a foreboding feeling of the unknown normally confined to horror films. Who has their information, and more importantly, what can they do with it?
As we, and our governments, increasingly digitalise our identities and information the reality of data breaches only become more spooky. A digitalised version of yourself, including biometric data like a fingerprint or facial imaging, may not be far off.
Many countries like Singapore, Nigeria, India, Canada, and the UK have some digital identity schemes in place. Digital identity makes up part of what becomes a digital twin, and as they become more common, we may be under more attack.
Why financial services should care about data breaches
It can feel like there are pretty constant headlines about data breaches, sometimes to the point where this trivialises the reality of how bad this can be for individuals.
Financial institutions are continuously attempting to prevent data breaches, but they have not been immune.
In March 2024,
UniCredit was hit with a €2.8 million fine for data breaches dating to 2018. This reportedly impacted 750,000 customers, but the bank had additional data breaches in 2017 and 2019.
In July of the this year,
Evolve Bank faced a ransomware attack resulting in data being published on the dark web containing, what the criminal gang Lockbit claimed was “juicy banking information containing American’s banking secrets” from the Federal Reserve.
This month,
Moneygram confirmed when they took their systems offline in September to deal with a cybersecurity issue, they too experienced a data breach. Information included names, dates of birth, bank account numbers and even government issued identification documents.
Sometimes third party vendors can leave banks vulnerable. Earlier this year
Banco Santander experienced a data breach due to a weakness in a third party vendor, leading to information about customers and employees being exposed.
However, even data gained from a non-financial institution’s data breach can create new threats for financial services. The more personal information a criminal has about an individual, the more convincing their fraud attempts can be.
AT&T faced a huge data breach revealing the numbers and call record of around 110 million people.
Vans, the shoe company, saw a breach reveal information about a reported 35.5 million customers’ information, although they claim none of it was financial. In May,
Dell saw 49 million records exposed, including some payment details; and finally,
National Public Data, a company which ran background checks, had a data breach resulting in the data of 2.9 billion people being stolen across the US, Canada and the UK, including
details like social security numbers.
Most hackers attempt to sell this information or use it to get a ransom. However, once purchased there should be concerns over what happens to that information. While breaches are clearly quite violating, some of the information might seem trivial. Yet the
information gathered by criminals can be used to emulate a digital twin.
Government data breaches: The European entry and exit system
Government data breaches can feel even more scary at times, as they can have much more information on us than other sources. I spoke with Zach Burks, CEO of Mintable, who has been raising a red flag about the potential for data breaches in the proposed European
entry and Exit system (EES).
The EES was meant be implemented by the end of 2024, but has recently been delayed to 2025. The proposed system would register every traveller that crosses an external EU border, both short stay visa holders and visa exempt travellers. They would hold this
information for up to three years, and it would include names, travel documents, and biometric information like fingerprints and facial images.
Burks explained: “When you're talking about the scope of data that is going to be collected, and the amounts of data, you're going have a digital twin coming in through this EES.”
As it stands, Burks doesn’t see the proposed system as being secure enough to hold this data: “One of the bigger issues is the fact that you're going to have a digital twin that's got your biometric, so a face scan and a fingerprint, and it's going to be
stored in a database that is accessible across multiple regions, across Europe… You have 1000s of locations that are going be connecting to a network. If you're a bad actor, all you need is either access to one of those networks, if the security is not pristine.”
Burks noted that even in situations where security is pristine, governments can fall victim to “zero day exploits.” He claimed all of this leads to a “centralised point of failure.”
For Burks, the worst case scenario for this is related to national security: “The consequences would be having an adversarial agent nation state. Imagine Russia knowing every British national, or even immigrants coming into the country, having access to
that data, being able to track personnel. It could be VIPs they're tracking. It could be assets. It could be used, to be exploited, to get assets into the country, if they have access to that.”
Burks highlighted that the solution to this problem is through the blockchain and NFTs. He explained: “In a centralised hack, very rarely is data put off into segments and secluded off where you only have access to certain bits. So if you were to think of
your passport, your full name is most likely not going to be secluded off in a separate database, opposed to your date of birth. It'd probably be kept together most likely, and that's efficient. That means that if you get access to that one database.
“You don't have one individual database for every individual. That would not scale. But on the blockchain, you could do that, and it would scale. What that means then is in order to hack the millions of people that have come through that immigration point
[…] I would either have to hack the encryption mechanism that is military grade […] and is pretty much unhackable. They would either have to break that, or they would only get one wallet at a time,” Burks said.
Data breaches and financial services
EES is just one example of a system which could be vulnerable to data breaches and exposing the sensitive information of a lot of people. As governments, and all of us, take a more digital approach, we can be made vulnerable in new ways.
Obviously the financial industry cannot control data breaches outside of their individual institutions, but they can keep doing all they can to prevent their customers falling victim to fraud. To protect their users, financial services should be using everything
in their arsenal to stop fraudulent payments, to encrypting the personal information they do have on their users.
Not all of these concerns are financial, there are serious implications from national security and personal information from all of this, but that does not mean financial services should take this any less seriously. Every part of the chain has a role in
protecting people.