Capital One, the third largest credit card issuer in the US, is the latest high-profile victim of a massive data breach, in which the personal information of more than 100 million customers was compromised.
With details of the breach still emerging, it’s impossible to provide a comprehensive analysis of what happened. Rich Mogull, analyst and CEO at the information security research and advisory firm Securosis, has delivered a thoughtful, responsible look at what we know to date.
He applauds both how quickly Capital One was able to get to the bottom of the hack and their rapid response to law enforcement and the public.
Yes, Capital One did all of the right things after the breach and Mogull closes his blog post with a sobering and accurate depiction of the state of data security. “No matter how good you are, mistakes happen. The hardest problem in security is solving simple problems at scale. Because simple doesn’t scale, and what we do is damn hard to get right every single time.’
I couldn’t agree more. In fact, this is truer now more than ever. Security is damned hard to get right every single time. Data assets are very valuable and increasingly more parts of every organization access to that data to extract maximum value from it. This makes the job of solving simple problems at scale exponentially more difficult.
Although security is important, the real solution cannot be more of the same. Capital One spends a significant amount of money on cyber security. They also apparently have taken steps to reduce privacy risk. For example, they smartly tokenized some of their identifiers such as account number and social security number. However, they were not completely successful as some of that data was found to be available as were other identifying fields. Perhaps they assumed encryption would prevent access, but apparently the hacker was able to decrypt the data.
I recently transitioned from the cybersecurity space to data privacy. One of the drivers for doing so is that as an industry we have been managing data in much the same way for the last four decades. As is the case with Capital One we’ve tried to add controls around access and we encrypt data when we can (or when it’s feasible), but today, more than ever before, companies not only want to protect sensitive personal data, but also derive value from their data. That requires making it more accessible employees who can act on it.
We need to rethink our approaches. Context is the name of the next game.
A hard look at the bigger picture is required. What valuable information is housed in the data? Where and how does that data need to be used in the business? What is the lifecycle of that data? Answers to those questions and more is the next required step to deliver state-of-the-art in data privacy and protection.
From there we can apply advanced data privacy techniques on the data as applicable while governing the data as it’s being utilized. If we can do all of this at scale with automation, it will protect sensitive personal data and meet the real-time needs of the data consumers within organizations.
Simply put, organizations want to make their data safe and usable without compromising privacy. No small task.
Bob Canaway is Privitar’s Chief Marketing Officer