Just this month, the BBC reported that ‘nearly all adults’ in Bulgaria had their personal data stolen. Names and addresses as well as details on personal income for nearly 7 million people, over the age of 18, have been the main targets of the security breach. In addition, the stolen data contained information on several businesses that operate out of Bulgaria. As a result of the hack, the tax agency now faces a fine of up to 20 million EUR1 for breaching the European General Data Protection Regulation (GDPR). To add insult to injury, an email to the government, ostensibly from one of the attackers, jeered those responsible for the poor security deeming the tax agency “a parody”. This is by no means the first attack of its kind, in fact earlier this year Australian online design company, Canva, had its security breached and the data of 140 million users was compromised. Usernames and email addresses to personal accounts were accessible, though passwords remained encrypted according to the report2. Nevertheless, all users were advised to update their passwords as a precaution. The company defended itself by stating that no accounts were accessed due to the password security. Regardless of whether passwords were revealed or not, quite clearly this is unacceptable for any company, large or small. Who knows what could happen in the future? If username and email security is compromised, personal information and even funds are at jeopardy — particularly if users have weak or guessable passwords!
There are myriad issues that need to be addressed with both of these hacking cases. First and foremost, companies and especially governments must realise that personal information must be treated as property, in line with the new European GDPR laws. Many companies, including Apple and Google, now require 2-factor authentication for users to access their own accounts. But it is not always obvious what certain industries and departments within governments are doing to improve security. This latest Bulgarian hack indicates that more still needs to be done regarding the way in which persons are able to access information. Password strength, multi-factor authentication, carefully selecting which people have access to data and passwords are just some of the ways in which security can be improved. However, one key issue is that when there is centralised data storage, any breach is likely to lead to an entire set of sensitive data being compromised — In many cases, millions of people are affected.
It is not as though more reasons were needed to adopt blockchain and The Proof of Trust (PoT), but this latest attack could certainly count as another reason. As is well documented, Distributed Ledger Technology (DLT) is nearly impossible to hack provided careful steps have been made on initial data input. With the option of private/permissioned blockchains, which are more likely to be adopted by governments, personal data would be completely hidden to all without access to the blockchain reducing some of the questions concerning GDPR. Once transactions are immutably logged on the blockchain in order to be compromised, 51% of the computing power would need to be controlled by the hackers — a near impossible feat. Both businesses and governments are beginning to recognise this, Dubai in particular are pushing blockchain adoption, but they aren’t alone. Of course, blockchain is only secure if the data is correct on input and that the smart contracts that are being used are bug free. Without The Proof of Trust smart contracts are still privy to attack and personal information could be at risk. The recent meetings taking place with the Slovakian government have highlighted their intent to seriously begin utilising blockchain technology, safe in the fact that all information submitted via smart contracts will be protected through Proof of Trust.
The flexibility of the PoT protocol has ensured that several different ways of implementing the security layer are available. One such possibility is that The Proof of trust has access to a bank of Delegates that consists of expert oracles, specialising in the auditing and arbitration of contracts that require further review. Those that have adopted PoT can request for these experts to review the digital contracts before they are submitted to a blockchain, reducing the probability of buggy or inadequate contracts being accepted to almost zero. Another option is that the team of delegates are directly hired by the company wishing to use PoT as a security layer. In this second option, the company would have full control over the operation of the Delegates. For example, the frequency of arbitration, the number of Delegates involved in the process and whether a SuperDelegate layer is required would be entirely down to their needs and the level of security required. The second option is likely to be adopted by governments and other public offices, giving them more control and transparency and rewarding their efforts accordingly.
To summarise, all governments and industries need to ensure they are taking their online security very seriously in order to avoid data breaches and inevitably having to pay substantial fines. While blockchain cannot answer every question, it certainly is a proven way of storing decentralised data, making hacking more difficult. Weaknesses still exist at the human-blockchain interface, if smart contracts are not carefully devised with information carefully inputted, then they are just as susceptible to attack as our current systems. Any company or department utilising The Proof of Trust protocol, has a greatly reduced chance of having their data compromised.
1. Anon. “Data of ‘Nearly All Adults’ in Bulgaria Stolen.” BBC News, BBC, 17 July 2019, www.bbc.co.uk/news/technology-49015511.
2. CISOMAG. “Nearly 140 Million User Data Leaked in Canva Hack.” CISO MAG | Cyber Security Magazine, 28 May 2019, www.cisomag.com/nearly-140-million-user-data-leaked-in-canva-hack/.