In the face of the multiple waves of cyberattacks that governments, corporations, and individuals suffer almost on a daily basis, it’s very annoying to note that any form of information can still be left unguarded and unsecured despite all the cybersecurity measures that are readily available. That is why the news that personal data relating to 1.2 billion people, including email addresses, phone numbers, and LinkedIn and Facebook profile information, has been leaked online via an open and unsecured Elasticsearch server came as a shock.
The said data was uncovered on 16 October 2019 by researchers Bob Diachenko and Vinny Troia of threat intelligence platform Data Viper. Diachenko and Troia were able to access and download the data via a web browser without having to use an ordinary password or any other form of authentication.
According to the researchers, the first dataset was discovered to contain, among other things, data on 1.5 billion unique individuals, a billion personal email addresses including work emails for millions of decision-makers in Canada, the UK, and the US, 420 million LinkedIn URLs, a billion Facebook URLs and IDs, over 400 million phone numbers and 200 million valid US mobile phone numbers. The second dataset, on the other hand, contained scraped data from LinkedIn profiles, including information on recruiters.
The analysis they did on the data led them to believe that the data came from two data aggregation companies, People Data Labs and OxyData.io. However, when the two companies were contacted as reported by Wired, that first broke the news, the researchers were told that the server from which the data was exposed did not belong to any of them.
This can be said to be the highest form of negligence and carelessness in anything that has to do with cybersecurity. Even if the data in question did not actually originate from any of the two companies the fact that information could be accessed whether with or without password or authentication is enough reason for concern for all of us.
A simple calculation will reveal that we are talking about information that has to do with about 15.6% of the world population. Their private lives and dealings are left unsecured when we have cybersecurity measures that could have prevented this unfortunate incident.
What makes this more worrisome is that according to Sam Curry, Cybereason chief security officer, “Over the years, hundreds of billions of online accounts have been exposed, meaning that personal information on every human on the face of the earth has been stolen 20 times or more.”
What two cybersecurity measures could have easily secured these data?
Using VPN technology
With VPNs, the issue of exposure wouldn’t have happened the reason being that they offer secure, reliable, fast, safe and efficient means of sharing information across computer networks. The VPN as a private network that uses a public network (usually the internet) to connect remote sites or users together, would have ensured that the records were properly secured.
VPNs make use of “virtual” connections routed through the internet from a business’s private network or a third-party VPN service to the individual at the remote location. VPNs help ensure security by the simple fact that even if your information is intercepted, the encrypted data can’t be understood even when read.
What came as the biggest source of surprise about the exposure of the four billion users’ records is that the companies involved did not make any attempt to secure the records by any means. If the issue at stake here was the financial considerations of subscribing to a paid VPN, there are a lot of service providers in the market like Urban VPN that offer free VPN services.
How is it then that no attempt was made at cybersecurity? This is mind-boggling. Does it mean that the world has not been assaulted enough with cyberattacks?
The blockchain technology
The truth is that the blockchain was originally conceived as a means of facilitating cryptocurrencies but the good news is that the technology has brought transformation into the way businesses carry out a lot of transactions. The numerous features of blockchain rightly position it as a capable technology to enhance cybersecurity and that’s why the exposure shouldn’t have occurred in the first place.
As a decentralized, distributed, and oftentimes public, digital ledger that is used to record transactions across many computers, the blockchain would have ensured that the exposed records cannot be altered retroactively, without the alteration of all subsequent blocks. The decentralization is a key factor in fighting cybercrimes since no one person has controlling authority over the workings of the blockchain.
Before any alteration can occur, a consensus of the network majority which should be at least 51% is required and this is a very difficult task to achieve. The fact that the blocks are linked using cryptography with each block containing a cryptographic hash of the previous block, a timestamp, and transaction data (generally represented as a Merkle tree), is an added advantage.
The end-to-end encryption in the blockchain technology would also have ensured that the researchers at Data Viper were not able to have undue access to the records and even if they have been able to do so through any unforeseen means would not have been able to decipher the meaning.
Since it’s outrightly glaring that what led to this exposure was utter negligence and carelessness on the part of the companies involved, it won’t be out of place to make sure that the companies are made to undergo punitive measures as a deterrent for any other person that may want to do so in the nearest future.