The security of custody measures on digital assets platforms has been a huge matter of concern for several years, and rightfully so.
These days, large-scale cryptocurrency exchange hacks are a relatively rare occurrence. However, as recently as last year and the year before, exchange hacks were relatively common. In 2018, $875 million was stolen in six major hacks; in 2019, an additional $282 million was pilfered in 11 hacks.
While the year is not over yet, data collected by IDEX shows that there have only been five big exchange hacks in 2020, with a smaller amount of crypto being stolen in 2018.
Therefore, it seems reasonable to say that cryptocurrency exchanges have improved their security measures enough that hacks are occurring less frequently, and when they do happen, they are less profitable for the thieves.
This shift away from crypto exchange hacks seems to have driven these criminals in the crypto space to explore other methods of theft. For example, Finance Magnates recently reported on an apparent increase in socially-engineered crypto scams.
However, while hacking into an exchange’s cryptocurrency stores may have become a more difficult task for hackers, there is another area of interest that hackers seem to continue to have regular access to: personal data.
Personal Data Safety Measures Are ‘Almost Certainly’ Not Keeping Up With the Safety Measures Implemented for the Custody of Crypto Assets
After all, the increased number of know-your-customer (KYC) and anti-money-laundering (AML) requirements that are present on cryptocurrency exchanges have transformed crypto exchanges and other crypto-related platforms into veritable gold mines for data.
While the security measures for the custody of assets on cryptocurrency exchanges seems to be improving, it is unclear if personal data safety measures are kept in line.
Mark Hornsby, chief technology officer at crypto custody firm Trustology, told Finance Magnates that personal data safety measures on cryptocurrency platforms are ‘almost certainly’ not as secure as the safety measures implemented for the custody of crypto assets.
After all, it was just this week that a hacker broker into CryptoTrader.Tax marketing and customer service employee’s account on a support center platform, appropriating customers’ names, email addresses, payment processor profiles, and messages, some of which contained information about cryptocurrency incomes. The hacker is now trying to sell this information on a dark web forum.
Additionally, last month, crypto hardware wallet company, Ledger revealed that a data breach had exposed around a million of its customers’ email addresses, as well as the personal information of 9,500 of its customer base.
These two most recent examples are hardly unique.
“We are bombarded daily with news of yet another data breach, and there is a certain inevitability to being caught up in one of those who have a significant online presence,” Hornsby explained. “However, this isn’t a problem unique to the crypto industry.”
Why is this happening?
“Shielding User Data from Attack Is More Challenging Because the Attack Surface Is Much Larger.”
Jacob Yocom-Piatt, Co-Founder & Project Leader for cryptocurrency network Decred, told Finance Magnates part of the issue is that protecting personal data is a much more complex process than protecting digital assets.
“Protecting digital bearer assets is a matter of protecting a very small amount of information: your private keys,” he said, adding that “there are a variety of tools for doing this, e.g. hardware wallets.”
However, “shielding user data from attack is more challenging because the attack surface is much larger. There are large amounts of personal identification information (PII) that must be protected, but this data needs to simultaneously be available for review by staff.”
Moreover, part of the problem could be that for many cryptocurrency exchanges, handling AML and KYC data is a new set of responsibilities. Many platforms have adopted KYC and AML requirements not because of their own choice, but because they have been required to do so by regulators, and while regulators have been clear about the fact that data needs to be collected, there has not been as much focus on how that data should be protected.
Why Ethereum Needs Layer 2 Solutions More Than EverGo to article >>
There are, of course, some measures in place. For example, an article by Proton Technologies AG explained that the General Data Protection Regulation (GDPR), which was intended to increase transparency around data collection and protection of EU citizens, is “is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).”
This ‘lack of specifics’ could be contributing to confusion around compliance, and could therefore also be contributing to a general lack of data safety.
Company Priorities Can Play a Big Role
This regulatory ambiguity around personal data protection is not necessarily a problem for each and every cryptocurrency platform. In fact, some have taken the ambiguity as a cue to establish themselves as industry leaders when it comes to personal data processing and protection.
On the other hand, the lack of specific regulation has allowed platforms with a lack of priorities around customer data protection to leave data vulnerable.
Therefore, Drew Porter, President and Founder at Red Mesa, told Finance Magnates that users of cryptocurrency platforms should generally consider the data they provide to those platforms to be vulnerable to exposure.
Drew said that while the reasons for this vulnerability “can vary from project to project,” the main cause may be a matter of priorities.
“These projects are focusing on features and scalability and not so much on security,” he said, adding that sources in the industry have said that “security and privacy is an afterthought for many, as in the eyes of many it’s about making money.”
A Multifaceted Problem Requires a Multifaceted Solution
Therefore, the reasons behind the seemingly high level of vulnerability seem to be coming from at least two different pain points: the complexity of collecting and processing data, as well as the lack of clearly enforced regulation around how personal data should be protected.
Trustology’s Mark Hornsby explained to Finance Magnates that as a result, the solution to the problem is multi-faceted.
Hence, to deal with the complexity of processing and storing multiple pieces of sensitive personal data, crypto platforms must evaluate which pieces of information are essential, and which are not: “firstly, companies should always focus on data minimization,” Hornsby said. ”The less data you hold on your customers the better.”
Additionally, data that does need to be sent to or kept by companies “should always be encrypted, both in transit and at rest,” he said, adding that “if you only need to make equality comparisons then using an adaptive hash function is an ideal way to prevent the data ever being retrieved.”
“The Industry Needs to Collaborate to Ensure That Best Practice Is Documented and Readily Available.”
Another part of the solution to the industry’s data security problem is better communication between platforms on best practices. This could potentially act as a remedy against unclear regulations on data protection.
After all, there have been many examples of self-governance of crypto industry entities banding together to develop industry standards when regulators were lagging behind: CryptoUK and the Japan Blockchain Association are two of the more famous examples.
“The industry needs to collaborate to ensure that best practice is documented and readily available,” Trustology’s Mark Hornsby commented. “By sharing knowledge and code we can help to reduce the likelihood and impact of a data breach event.”
User Education And Awareness May Be the Most Important Thing
Beyond the company maintaining its security, users must also be vigilant when it comes to entrusting their data to crypto platforms.
Mark Hornsby said that indeed, user education on personal identity safety may be the most important piece of the data security issue.
“Users should be encouraged to adopt good password behavior,” he said, which could mean “using a password manager and a unique randomly generated password per site/application, always enabling 2-factor authentication (2FA), and to consider which pieces of data (and how much) they share with any given service.”
Users should also research the companies that they are entrusting their data with to see if there have been any prior incidents relating to data theft.
However, at the end of the day, there is always going to be some level of risk associated with entrusting data to a centralized third party. Therefore, unless a user is only willing to use exclusively decentralized platforms, personal data is always at the risk of exposure.
“Users can never be sure their personal data is secured properly by the platforms they choose to use,” Decred’s Jacob Yocom-Piatt told Finance Magnates. “By letting someone custody your data, whether we’re talking about private keys or PII, you always run the risk of that trusted third party being hacked and losing control of your data.”