Another week, another data breach.
Another major company keeping its customers’ details on a centralised, easily hackable database.
Another load of innocent, oblivious people having their names, addresses, passport numbers and bank details stolen and likely sold on to the highest bidder.
It’s all par for the course.
Only this time, it wasn’t just a load of people. Or even a massive amount of people, or even many, many thousands of people.
It was 500 million.
That’s right, Marriott hotels has announced that 500 million customer details have been compromised.
Just to put that 500 million people number into perspective.
It’s over 7.5 times the population of the UK.
It’s over 1.5 times the population of the US.
It’s just under 7% of the world’s population – or roughly one in every 15 people on the planet.
One in every 15 people on the planet have just had their “name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences” stolen, according to Marriott’s press release.
“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken,” says Marriott.
So, it looks likely many of those 500 million will also have had their credit card numbers stolen, too.
The most surprising thing about this whole episode, to me, is that this isn’t even the biggest data breach in recent years.
“[Marriott] is not the largest breach in terms of number of records and was not the worst in terms of identity theft potential, but it is easily in the top five for worst hacks that directly impact the general public,” cybersecurity expert Jim McCoy told ABC News.
No, that honour goes to Yahoo.
In 2017, four years after the 2013 event, Yahoo admitted every single Yahoo account had been hacked, all three billion of them. Three billion!
Basically, if you had a Yahoo account on or before 2013, it has been hacked. The hackers have your password, security questions, name, age, nationality… everything you ever shared with that account.
Still, unlike the Marriott hack, at least the Yahoo one didn’t involve bank and passport details.
This hack isn’t even front page news. In fact, I found out about it via a Wired daily email. And it wasn’t even the top story on that.
Most people will probably never hear about this massive data breach. It’s simply not news.
But I find that crazy, given how big of an issue identity theft and fraud is. This kind of stuff can ruin people’s credit ratings for years.
It can also lead to people being charged with financial crimes they never committed and can cost victims tens or even hundreds of thousands of pounds.
And that’s just on an individual scale. This hack affected 500 million people.
That is one in 15 people in the world, who may now face years of financial struggle, and no one is talking about it.
It boggles the mind.
Who is to blame?
I’m going to say something you probably didn’t expect now.
I do not thing Marriott is to blame for this monumental failure of trust.
A hack like this happens every few weeks. True, not on this scale, but hacks on this scale aren’t exactly rare either.
Last year 146 million Equifax records were compromised. These records had people’s names, dates of birth, social security numbers, addresses, driver’s licence details and credit card numbers.
These breaches happen all the time.
A couple of months ago British Airways was hit with a similar one and told all its recent customers they should cancel their credit cards as they had been compromised.
These companies – all companies – hire cybersecurity experts to sure up their databases and make them more difficult to hack. But the hack keep on coming.
The truth is, no matter how good an organisation’s cybersecurity, it is still vulnerable to hackers. The UK’s cybersecurity chief, Ciaran Martin, said as much in September.
While being interviewed about the British Airways hack on Radio 4 last week, he stated: “You’ve got to assume that some of these things are going to get through.”
He admitted that even his organisation – the UK’s national cybersecurity centre, the very organisation tasked with preventing this kind of stuff – was still vulnerable to hacking.
And, although this kind of stuff doesn’t usually make the front pages, that doesn’t mean it isn’t a real threat.
In fact, when Mark Carney, the governor of the Bank of England, was asked what he believes are the biggest threats to the financial system, he stated cybersecurity.
“Because financial systems are so interconnected,” he said.
And that’s the key thing here: centralisation.
Organisations store millions – in fact billions – of user details on single, centralised databases.
Get into that database and you get everything, as we have seen time and time again.
The current solution is to make the walls on that database as strong as possible, and make the locks that keep the data in ever stronger and ever better.
What do hackers do? They simply pickpocket someone who has a key to this lock and they are in. Once they are in they can take it all. All the records, everything, in seconds.
The hackers may not even need to do anything too sophisticated to get that key. If someone has the means, and they really want in, they will get in.
If they lock is too strong, they will simply use “social engineering” to get a key from someone who already has one.
“Social engineering” is a term hackers use for playing the person not the system. Phishing attacks, like the one I wrote about in October (The anatomy of a near-perfect internet scam – which you’ve likely been targeted by) are an example of this.
What is the solution?
So, if the problem is centralisation then the solution must be… decentralisation.
Instead of storing all this data on a single, centralised database, bits of it can be stored on a blockchain.
This means there is no central database to hack. But we can do much better than that. We can make it so there isn’t even any data to hack. Here’s how it works.
One of the key developments in blockchain is zero-knowledge proofs.
These basically let you prove you have certain data without ever showing anyone that data.
So, say you want to prove you’re allowed to leave the country to British Airways, but you don’t want it to have your passport details on file, in case BA gets hacked again.
Instead of giving BA your passport details, you give proof that you own your passport and are able to fly.
Without giving your actual passport details, this may sound impossible, but it’s not.
Or say you ring a call centre to transfer money between your bank accounts.
Instead of giving the call operator your name, address, account number, etc, you just give them proof you have all of that information, but you never give them any of the information itself.
If the call operator is looking to steal your money or sell your information on, they can’t. They don’t actually have any information on you.
This proof all happens automatically, you don’t have to do anything. You just log in to your identity dApp (decentralised app).
This means you can prove your identity to any company without ever giving them any information about yourself.
If they get hacked, it doesn’t matter. They don’t actually have any of your personal information, just a line of computer code that proved you are who you say you are. The hacker can’t use it for anything.
As I said, it sounds like magic, but it’s actually very simple.
How zero knowledge works
This is the simplest example I’ve seen on how zero-knowledge proofs work.
Imagine your friend is colour-blind and you have two balls: one red and one green, but otherwise identical. To your friend they seem completely identical and he is skeptical that they are actually distinguishable. You want to prove to him they are in fact differently-coloured, but nothing else, thus you do not reveal which one is the red and which is the green.
Here is the proof system. You give the two balls to your friend and he puts them behind his back. Next, he takes one of the balls and brings it out from behind his back and displays it. This ball is then placed behind his back again and then he chooses to reveal just one of the two balls, switching to the other ball with probability 50%. He will ask you, “Did I switch the ball?” This whole procedure is then repeated as often as necessary.
By looking at their colours, you can of course say with certainty whether or not he switched them. On the other hand, if they were the same colour and hence indistinguishable, there is no way you could guess correctly with probability higher than 50%.
If you and your friend repeat this “proof” multiple times (e.g. 128), your friend should become convinced (“completeness”) that the balls are indeed differently coloured; otherwise, the probability that you would have randomly succeeded at identifying all the switch/non-switches is close to zero (“soundness”).
The above proof is zero-knowledge because your friend never learns which ball is green and which is red; indeed, he gains no knowledge about how to distinguish the balls.
Within blockchain these zero-knowledge proofs have moved on and can now work without any interaction between the person providing the information and the one verifying it.
If you want to know more about how this works in detail, you can read Zcash’s page on zK-SNARKs here.
There is no data to hack
And now to come back to Mark Carney saying that cybersecurity is one of the biggest threats to the financial system because of how interconnected everything is.
Well, zero knowledge solves this problem. With things like zK-SNARKs, infatuations can work together and process transactions without ever putting each other at risk.
If one got hacked, it would only be their data at risk. They would have no knowledge of other institutions’ data.
With blockchain and zero-knowledge proofs, data breaches become virtually impossible.
I’m sure eventually, people will work out ways to hack even these systems. But one thing is for sure, they are a whole lot more secure than what companies are using right now.
The problem is, big institutions and government entities are not really aware this kind of technology exists, yet.
The work is being done to get the knowledge out there, but it won’t happen overnight.
However, if the world is serious about stopping data breaches for good, this is the way to do it.
So, although crypto prices are in the gutter right now, that doesn’t mean they aren’t going to be an essential part of many different industries in the coming years.
Once you start to see just how useful and important blockchain technology is, you start to see why there is so much excitement surrounding it.
In the meantime, how would you like to learn how to make money when things like this hack happen?
On the news of this hack, Marriott’s stock dropped by 6% in price. Short sellers will have made money trading this inevitable price drop.
If you’d like to learn how to make money when stocks go down as well as up, you’re in luck.
Tomorrow afternoon, Eoin Treacy is producing a webcast to teach people when, how and why they should short stocks.
It’s entirely free to watch, so long as you secure your priority viewing pass here. Then all you need to do is be ready at 2pm tomorrow.
Until next time,
Editor, Exponential Investor