If the last 5 years has taught us anything, it is that data breaches are inevitable. Users still make errors, systems are still vulnerable and cyber-criminals’ hunger for hacking shows no sign of being sated. It would be wrong to say that all data is of equal value, but a loss of data of any type has potentially wide ranging implications for any organisation.
The consequences of a data breach go beyond simple business disruption to include a loss of intellectual property, competitive advantage, corporate knowledge and customer loyalty. Worse still, a data loss could result in lost revenue, breach of compliance regulations and, under the new EU General Data Protection Regulations (GDPR), some pretty serious financial penalties.
In November, Tesco Bank announced a data breach in the UK. Thousands of customer accounts were illegally accessed and money was withdrawn. The hackers were careful to remove just enough money to make it worth their while, but not so much has to draw immediate attention to themselves.
Although the true nature of the breach may not have been confirmed as we write this, it seems to have been made possible by contactless payments made through smartphones. The UK news was full of sensational stories of “unprecedented loss of financial data”. Sorry to say, this was not as rare an incident as you might think.
In February of 2016, the Bank of Bangladesh suffered a similar breach. This time it was $81million removed from customer accounts by hackers who managed to subvert the SWIFT system. What made the headlines for this breach was that SWIFT was previously seen as a closed, trusted network for global financial institutions.
Cyber-criminals are becoming increasingly sophisticated in their attacks and banking data is a high priority target, because of the potential for financial gain. On average, it takes more than 12 months for data breaches to come to light, so hackers have plenty of time to exploit their ill-gotten gains.
Embarrassing as this incident was for Tesco Bank, it could have been much, much worse. To their credit, Tesco seem to have been quick to act. 24 hours of disruption to digital transactions and things seem to have been brought back under control. But what was the impact of that 24 hours?
A day’s lost revenue might not seem like too big a deal, but then there was the loss of trust in the brand and the fact that they had to pay back the £2.5 million that was taken from their customers’ accounts. So, the damage mounts up.
£2.5million doesn’t really seem like a lot of money to a major financial institution and Tesco might think they have gotten off lightly – assuming there is no subsequent financial penalty applied. However, if this had taken place when the new European GDPR legislation was being enforced, it could have been a different story altogether.
We have mentioned the General Data Protection Regulations (GDPR) in previous posts. But, for the uninitiated, here is a very brief overview.
First proposed in January 2012, and approved in April 2016, the GDPR is designed to unify data protection rules across Europe and set out compliance obligations for the movement of data; both within the EU and between EU member states and their global partners.
Set to become law in May 2018, one of the major talking points of the legislation has been the hefty financial penalties proposed as a result of non-compliance. Organisations suffering a data breach can expect to be fined up to 4% of their annual turnover. Not profit. Turnover. (or €20million, whichever is greater).
This means Tesco Bank could have been facing a GDPR imposed penalty of an eye-watering £1.9billion. Now, businesses have been accused of not taking data breaches seriously in the past as the cost of prevention outweighed the cost of repair. Not anymore. With this level of fine on the horizon, everyone is sitting up and paying attention.
Quantum-Cryptography, for long-term data protection
The high-speed, global networks that modern financial services have come to rely upon are not inherently secure. The best, last line of defence against a data breach is to encrypt the data, rendering it useless to unauthorised users.
As you would expect, the hacker vs cryptographer war has been waging for a long time. As new algorithms and encryption devices are made available, there is an army of hackers waiting to “crack” them – from organised crime to bored teenagers in their bedrooms.
At the moment, the cryptographers have the upper hand. High-assurance encryption technologies make the decrypting of protected data almost impossible in the short-term. That’s not to say that, given enough time and computing power, a committed hacker couldn’t crack an encrypted file.
However, there is something on the horizon that is set to change the game completely. The quantum computer. Capable of performing calculations thousands of times faster than current systems, a quantum computer would reduce the time taken to crack current encryption solutions from months, to hours.
It’s not all bad news though. The first commercially viable quantum computer is still at least a decade away. In the meantime, there are already solutions available that exploit the fundamentals of quantum physics themselves to create “unbreakable” encryption. AKA quantum-safe cryptography.
IDQ is a pioneer in the fields of quantum random number generation and quantum-safe cryptography. The first to commercialise a quantum cryptography platform, our solutions provide long-term data security in a post-quantum world.
To find out more, visit: www.idquantique.com