Bluink Blog

Questions and Conclusions from the Capital One Data Breach

Posted by Steve Borza · 460 words

 

The most recent Capital One data breach leaves many questions to be answered…

 

Among them, why is Capital One storing personally identifiable information (PII) dating back to 2005?

 

Why is this most sensitive information (everything needed for identity theft) not being stored in an encrypted format?

 

Why does it take a random tip from someone perusing GitHub to tell them about the breach, when the vulnerability has been posted since March?

 

All these questions lead us to some disturbing conclusions. Financial institutions (FIs) are not handling our PII in a reasonable manner to prevent data theft. It is obvious that data at rest encryption policies do not exist. (If you’re a FI reading this, please correct me if I’m wrong.)

 

For FIs, the trend is moving to more “sharing” of our personal information without our knowledge. Sure, there was a click agreement, and you clicked it a while back… But did you understand that the app that asked you to log in with your banking credentials just screen scraped your account information using iframes? Did you understand that it grabbed all your balances, purchase information, loan information, and more? Probably not.

 

I received a notice recently that my bank would be sending me a new User Agreement for my online banking. This will presumably cover the new data sharing policies. The kicker is that I can agree to the new policy, or I can lose all access to online banking! That’s not really an option, is it?

 

Rather than sharing our information behind our back (sorry, there was a click "agreement"), how about providing a sovereign identity that is under our control, in our pocket on our phone, and we decide with whom we share? It could be part of a digital wallet in your banking app, if as a bank, identity is your business. Or it could be in a personal app, provided by a government to protect the privacy and security of its citizens.

 

As we grapple with another million exposed SIN numbers and six million citizens' PII lost in yet another breach, it's time to tie our information, including SIN number, date of birth, name, and account information, to a verifiable, certificate-based digital identity. This way, identity secrets, such as a SIN number, can be verified as coming from the actual citizen, not from someone who stumbled across them on GitHub.

 

Secure identity information with the verifiable, certificate-based digital identity, eID-Me.

 

eID-Me will launch in app stores this fall. Click here to subscribe to eID-Me updates and be notified of the launch.