Hack Brief: Why Encrypting Data Won’t Save You From the Next Security Breach

A staggering 773 million records were exposed in a monster breach. Here’s what we can learn from the latest news about Collection 1.

David Wells

Jan 18, 2019

Many people by now have seen the latest news about Collection 1, where a huge batch of 775 million emails and passwords were found for sale by hackers on the internet. According to security researcher Troy Hunt, who first reported on this event, the information for sale was gleaned from more than 2,000 separate compromised databases.

"What I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago," Hunt wrote. "In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see."

How in the World Did This Happen?

When companies develop consumer or patient websites, they like to test what they are building with real data. Why real data? Because it allows them to see if their software works in real situations. For example, does it handle funny addresses and names, such as “10½ Beacon Street"? And yes, there really are addresses with contractions out there! What about all of the different ways people type in their phone numbers?

Not that long ago, before hackers were on the scene, companies would routinely test new programs by just giving their developers copies of production data. Of course, this means they had to trust that all of their developers (and there are a lot of them) were honest, followed their corporate security policies and would be careful with all of that sensitive data to which they had access to.

But people are people. They leave their company laptops in rental cars, unattended at the coffee shop or get victimized by viruses. Fast forward to today, where we now see news that someone is selling personal information stored in over 2,000 private databases.

For companies that store personal data, this is a stark reminder of the need to move to secure development operations. It is simply no longer a sound risk management strategy to keep doing what you’re doing and hope you won’t be the next high profile victim. Oftentimes, businesses are forced to lock down data for security purposes, but that is not a practical or scalable security strategy.

Adopting a “restrictionist” policy to data access limits the availability of crucial test data, which in turn, causes problems in the development cycle and poses a significant risk to the business by inhibiting teams from satisfying the demands of the business. We’ve seen many companies unwilling to make the necessary changes to their development processes, largely because they feel those solutions are too hard and expensive to implement or that it would slow down their developers.

Encryption Alone Won’t Save You

One of the startling aspects of this particular breach is that the password data that is being offered for sale is in, “clear text,” meaning it had already been decrypted from its original state. This is a stark illustration of the importance of not relying on encryption to protect data in your development environments.

Thankfully, there’s a better solution: to mask your data. Data masking technology essentially allows organizations to make virtual, sanitized copies of their real data, as many as needed, available to their developers and testers. What I mean by sanitized is that all of the sensitive pieces of data are changed to fake but real looking values, before it’s made available.

Simply put, masking doesn’t protect your data by encrypting it but by changing it, so it’s no longer valuable to a hacker. It provides a way to anonymize and desensitize data while ensuring it remains meaningful to those who need data to improve security and accelerate innovation. For example, if a hacker sells someone a bunch of non-existent emails, addresses, and passwords, whoever buys that junk is not going to be very happy because they can’t use it to apply for credit cards, loans, or whatever else they intended to do. It’s like stealing a purse with no money in it.

So one moral of this hacking story is: It’s time to get serious about secure DevOps practices. The overwhelming necessity to drive both innovation and security means that companies can’t abandon one priority in favor of the other. At the center of this duality? Data. Modern enterprises need to approach data in a way where they can balance speed of innovation with safety and security. Today, every company is a data company, and rapid and secure access to data should be at the heart of every enterprise initiative.

Download “5 Steps Towards Achieving Secure Data Flow” to learn about the ways enterprise software teams can accelerate data delivery in large, complex enterprise environment and design security into key data workflows to mitigate risk.