Last month, Desjardins Group suffered a data breach, which leaked personal information on 2.7 million individual clients and 173,000 business customers. This breach was relatively small compared with the number of records exposed in other breaches, which seem to occur much too frequently. Of course, if you're one of the individuals affected by the breach, the numbers aren't important because it's personal.
This Desjardins breach included names, addresses, birthdates and social insurance numbers (SINs). A SIN is a piece of information that must be guarded very carefully because of the potential damage a fraudster can do with it, including applying for credit cards and bank accounts in your name. The fact that SINs were involved seems to have prompted an emergency meeting of the Standing Committee on Public Safety and National Security.
To their credit, Desjardins is providing a lot of protection to victims of this breach, and it could get expensive. One of the measures Desjardins has taken is to offer free credit monitoring using Equifax. Ironically, that's the same organization that had a massive data breach in 2017, which exposed the sensitive information (including Social Security Numbers) of 143 million Americans. About 100,000 Canadians were also impacted by that breach, which exposed their SINs.
This is a vicious cycle that needs to be broken. I believe that data breaches can be reduced but not eliminated. As long as large stores of valuable information exist, they will be targeted, and they will be compromised. In the end you must accept the fact that your sensitive information will fall into the wrong hands.
So how can we break this cycle?
Let's start by considering that your SIN is just a number. It might be a sensitive piece of information, but it is not your identity. If someone else knows my SIN, name, address, and date of birth, that should not be sufficient to steal my identity. In other words, if an impostor presents my SIN to a bank to get a loan in my name, that impostor also needs to prove that they are me. And that proof needs to be more than just static pieces of my identity information.
Strong identity proofing is the foundation for establishing a digital identity. This is the process of collecting evidence of identity (via identity documents, biometrics, etc.) and verifying that information using authoritative sources (or, in a self-sovereign system, it can mean getting consensus from your web of trust).
It is not practical to perform identity proofing during every transaction, which is why eID-Me generates an identity certificate with verified identity claims once identity proofing is successful. This certificate is strongly bound to the individual and carried on their smartphone, which is the only place where the identity private key exists. From that point forward, the proof that you own your identity is conveyed cryptographically in an eID-Me identity transaction. When I present my SIN number to a service, I can also prove that I own the identity to which it belongs. No one else can do that.
This is the leap we must take to break the identity theft cycle—even in the face of massive data breaches.
We are in an information age where static digital identities offer little to no protection for individuals. A means to convey proof of ownership with cryptographic security is now a necessity. Large-scale data breaches may never stop, but that does not mean identity theft needs to continue.