On December 3, 2018, the international Marriott company announced a massive attack that impacts about 500 million customers who made a reservation at a Starwood hotel. The breach has targeted the hotel chain’s reservation database since 2014, Marriott International admitted, stating that management only discovered the breach after an internal security tool alerted them in September to an unauthorized attempt to access the Starwood database. The hotel chain said it has reported the hack to law enforcement.
In the scope of Mariott attack, the properties include Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Le Méridien, Tribute, Design Hotels, Element and the Luxury Collection.
In this attack, personal information of customers such as their names, addresses, phone numbers, birth dates, email addresses and encrypted credit card details were stolen by hackers. Additionally, the travel histories and passport numbers of a smaller group of guests were also taken.
While the attack to Marriott company’s database examplifies one of the most detrimental corporate data breaches in history, at the same time, it is a current indicator of how fragile big companies’ computer networks are today, despite the increasing awareness about the cybersecurity measures in the business environment. As the wave of data breaches continues to damage companies, it is necessary to remember some of the largest data breaches of all times as well as the necessity for the new solutions for the problem of protecting digital data stored on local machines or cloud services.
What is data breach?
Data breach can be defined as “an incident where information is stolen or taken from a system without the knowledge or authorization of the system’s owner. A small company or large organization may suffer a data breach. Stolen data may involve sensitive, proprietary, or confidential information such as credit card numbers, customer data, trade secrets, or matters of national security.” The data breaches can be classified in the types of hacking, negligence, ransomware, malware, phishing, denial of services(DoS).
If we take a look at the highly damaging data breach examples in past, the most noteworthy example would the Yahoo case, whose hack surpasses the others in terms of its sophisticated impacts on user accounts. The two major breaches to Yahoo, the internet service company, database were carried out by the hackers between 2013-2014 years. The first of which affecting over 500 million Yahoo user accounts in late 2014, which was announced in September 2016. Another separate data breach, occurring earlier around August 2013, was reported in December 2016. At the end of these data breach, it was initially believed to have affected over 1 billion user accounts, however; Yahoo company reported in late 2017 that all 3 billion of its user accounts were damaged from these attacks that were recorded in the data breach history as the most damaging and largest “invasion” to the private spheres of people and businesses. Specific details included in the personal spheres were their names, dates of birth, email addresses, telephone numbers, encrypted or unencrypted security questions and answers along with their hashed passports. After the two separate attacks on the Yahoo database, the company has been violently criticized for their late disclosure of the breaches and vulnerability of their cybersecurity measures.
Another most detrimental example in data breach history was the attack to the database of official Canada credit bureau Equifax, that was discovered on July and announced on September 2017. With this attack, approximately 145.5 million user accounts including the personal information of its customers like their names, social security numbers, birth dates, addresses and in some cases, driver’s license numbers were accessed because of the high vulnerability of its website application. After the announcement of Equifax data breach, the CEO of the company said, “This is clearly a disappointing event for our company and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes.”
Another shocking data breach in the historical records was experienced in the medical industry. On February 4, 2015, Anthem, Inc. reported that over 37.5 million records including personal information like their names, birthdays, medical IDs, street addresses, e-mail addresses and employment information were stolen from its servers. On February 24, 2015, Anthem raised the number to 78.8 million people whose personal information was affected. Even if this breach was considered the intentional attack sponsored by foreign governments against to US government reputation, nevertheless, it can not be excused for the lack of the cybersecurity measures of Anthem Inc.
Especially, the breach to one of the largest social networking company, MySpace’s database, in 2016, has once again alarmed us about the urgency of taking new kind of measures for providing cybersecurity in the business environment.
According to the veteran social network, the attack impacted its some users who created an account by an email, password and an username before 11 June 2013, because after this date, MySpace has started to use a new system. Even if the company has not clearly stated the number of its users influenced by the attack, according to earlier reports, there were over 360 million accounts stolen by the attackers.
In these times, the company said that, when moving from the old platform to the new one it “took significant steps to strengthen account security”, adding that “the compromised data is related to the period before those measures were implemented”.
One important source of the attack to MySpace is mostly related to the fact that many of the passwords created by the users on MySpace are the kinds of common patterns people are urged never to use. For example, the most used password was “homelsspa,” which was used over 855,000 times. It paved the way for easier predictable passwords and as a result of that, more vulnerable user accounts. Even though MySpace alarmed its customers about the necessity of resetting this kind of vulnerable passwords, it is possible to say that these measures to prevent cyber attacks proved unfortunately insufficient under the light of the lessons taken from the past.
When MySpace attack is considered, there is a need for companies to pay close attention to updating cybersecurity measures to provide privacy setting and reliability for their customers. Cybersecurity approach, the practice of protecting systems, networks, and programs from digital attacks, has actually multiple layers of protection spread across the computers, networks, programs, or data that is intended to keep safe with the help of cooperation between the people, processes, and technology to create an effective defense from cyber attacks.
For example, in this triangle, users must take into consideration the basic data security principles like choosing strong passwords, being wary of attachments in emails, and backing up data. Additionally, while it is necessary for organizations to early identify and disclose attacks to protect their systems by responding to possible threats, the technology helps organizations and people to be protected from the cyberattacks by some methods like next-generation firewalls, DNS filtering, malware protection, antivirus software, and email security solutions.
What is the solution?
Although it is not possible to deny the importance of these kinds of measures for providing cybersecurity, implementing effectively most of these cybersecurity measures is particularly challenging today. Because, in parallel with the developing technology, the attackers are becoming more innovative. However, even though attackers are getting better at hacking, apart from aforementioned methods, another ways to combat these attacks have also passed a very crucial threshold thanks to the latest impenetrable blockchain technology.
Based on its distributed network, blockchain technology can improve the online security of any business and ensure that data cannot be damaged, stolen or lost. A verified piece of data forms a block, and after that it is added to the chain and the added data cannot be altered or removed from the chain using the cyrptography because users can look at previous versions of a block to identify the difference in the latest block. In these decentralized record-keeping mechanisms, when a hacker tries to tamper with a block, the whole system analyzes every single block of data to detect the one that differs from the majority of the network and as a next step, it immediately excludes “false” data from the chain.
Even if a hacker attempts to destroy the data stored on every user ‘s computer in the blockchain network, it is a very challenging task because of millions of computers with a complete set or part of data, unless the hacker can simultaneously bring down the entire network. Since this is mathematically almost impossible, the blockchain network can avoid being subjected to the risk of getting attacked by hackers. Therefore, we can consider the blockchain technology the most secure form of storing and sharing information online that we’ve discovered so far. That’s why most of the companies in different sectors have started to embrace blockchain technology to prevent fraudulent activity and increase data protection.
In that sense, Colendi, credit scoring and microcredit platform, is one of the companies that can prevent fraud and protect its customers’ wide range of data thanks to the blockchain technology in today. Colendi provides a self-sovereign and mobile credibility identity for the users with the help of its highly developed credit scoring mechanism. Colendi ID is users’ self-sovereign digital identity including their relevant information in a private and protected model thanks to decentralized Ethereum Blockchain. When you login to Colendi application, only your Colendi ID is shared with the users on the network to keep your entire data private. It means that access to identity parameters is only possible by user-owned smartphone and private key that was given to the user at registration.
Colendi also creates a mechanism preventing “fraud” as well as creating decentralized scoring. Both real-time and historical data are processed via intelligent algorithms in each node. Therefore, unreliable users, as well as fraud operations, are also detected instantly to enhance overall security and reliability of the protocol, as one of the main tools enhancing the security to achieve “economic finality” in Colendi ecosystem is slashing mechanism. This is a penalty mechanism for the bad actors who are made to serve as an extra safety measure. Colendi introduces slashing conditions to protect each party as well as the protocol from any imposture and privacy-violating act and to enable the data integrators to provide the congruity of their networks until the completion of the validation of each persona in the ecosystem. With a rounded solution to data hacks, an easy to use interface and a point on solution for the unbanked, blockchain projects like Colendi will mark the beginning of a new era of private data handling and complete trust.