Following a number of high profile data breaches at the tail end of 2018, Robin Tombs, CEO, Yoti, offers his advice to businesses looking to ensure they have the right protections in place for the safe storage of their consumers’ data.
The Quora.com data hack in December 2018 and the data breach which affected Marriott International in November were no doubt a wakeup call for businesses to ensure they hold the data submitted to them by consumers securely.
Across both cases, personal details, passwords, and email addresses of over a 100 million people were exposed – offering up a plethora of valuable personal information to hackers.
Biometrics are key in securing accounts
In the case of Quora, passwords were stolen that could then be used to access users’ other online accounts – as too often the same password is used by an individual across multiple accounts.
This comes as no surprise. The average user has in excess of 190 passwords asked of them across multiple sites, so it would be basic human nature to reuse the same password for each access point.
A more secure means of ‘logging in’ is therefore required; one that does not need consumers to continually remember password and login details. The emergence of biometrics over the last two years has come at just the right time. Biometrics involve someone accessing their account through a fingerprint or ‘selfie’. Obviously everyone’s biometric data is different and specific to them. This technology not only acts as being a more secure way of identifying an individual, but it also means consumers no longer have to remember passwords every time they want to access their online accounts.
Use verified identities
For many, data breaches happen when hackers have access to passwords and login details. Undoubtedly it is easy for a hacker to pretend to be another person once they have their email address and password.
One way to combat this is to let individuals use a digital identity to share their verified details.
Digital identities, secured with biometrics, give individuals more control over their data. Everyone’s biometrics are unique, and therefore only they can access and share their verified details with a business.
Transparency is key
As soon as a data breach has occurred, it is imperative for a company to inform consumers of the occurrence so they can take all the necessary steps they need to ensure any damage is limited. One top tip is for customers to change their existing passwords and to monitor their bank statements for any unusual activity.
The disclosure companies need to undertake should be a full one. An affected business needs to be clear to its customers on how the breach happened, who was affected – including what data was compromised – and the steps they are now taking to remedy the situation.
In the case of Quora’s data breach, for example, the company did not give timelines and dates about how long ago the hackers had gained access, or how they noticed that the compromise had happened. Lessons can be learned here and in the future affected companies must be transparent about how a breach has happened and why.
Only request the necessary information
Organisations should only ask for the information they really need from their customers. This will help to strike a balance between confidentiality, whilst giving companies the information they require.
This will also reduce the amount of data potentially exposed in a data breach, protecting individuals against the increasing threat of identity fraud.
Consumers – get organised!
In the case of the Quora data breach, many people were surprised to get an email from the company about the breach, having forgotten they even had a Quora account.
It is important consumers keep track of their online accounts and delete any they no longer use. This is especially the case where they have reused the same passwords across multiple sites.
A password manager which securely stores login details for multiple online accounts is a good way to stay on top of different websites.
In an ideal world, a password manager would not be secured with a master password, otherwise if someone cracks that password, they would then have access to all of the victim’s login details. Instead it should be secured with an individual’s biometrics – unique to them and meaning only they can access their passwords.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.