The security of custody measures on digital assets platforms has been a huge matter of concern for the last several years, and rightfully so.
These days, large-scale cryptocurrency exchange hacks are a relatively rare occurrence; however, as recently as last ago, exchange hacks were almost commonplace. In 2018, $875 million was stolen in six major hacks; in 2019, $282 million was stolen in 11 hacks.
While the year isn’t over yet, data collected by IDEX shows that there have only been five big exchange hacks in 2020, with much less crypto in total being stolen in 2018.
Therefore, it seems possible that cryptocurrency exchanges may have improved their security measures enough that hacks do not happen as frequently, and when they do happen, they are less profitable.
This shift away from crypto exchange hacks seems to have driven criminals in the crypto space to explore other methods of theft. For example, Finance Magnates recently reported on an
However, while hacking into an exchange’s cryptocurrency stores may have become a more difficult task for hackers, there is another area of interest that hackers seem to continue to have regular access to: personal data.
Personal data safety measures are “almost certainly” not keeping up with the safety measures implemented for the custody of crypto assets
After all, the increased number of know-your-customer (KYC) and anti-money-laundering (AML) requirements that are present on cryptocurrency exchanges have transformed crypto exchanges and other crypto-related platforms into veritable gold mines for data.
While the security measures for the custody of assets on cryptocurrency exchanges seems to be improving, it’s unclear if personal data safety measures are keeping up to par.
Mark Hornsby, chief technology officer at crypto custody firm Trustology, told Finance Magnates that personal data safety measures on cryptocurrency platforms are “almost certainly” not keeping up with the safety measures implemented for the custody of crypto assets.
Additionally, last month, crypto hardware wallet company had exposed around a million of its customers’ email addresses, as well as personal information for 9,500 of its customers.
These two most recent examples are
“We are bombarded daily with news of yet another data breach and there is a certain inevitability to being caught up in one for those who have a significant online presence,” Hornsby explained. “However, this isn’t a problem unique to the crypto industry.”
Why is this happening?
“Shielding user data from attack is more challenging because the attack surface is much larger.”
Jacob Yocom-Piatt, Co-Founder & Project Lead for cryptocurrency network Decred, told Finance Magnates that part of the issue is that protecting personal data is a much more complex process than protecting digital assets.
However, “shielding user data from attack is more challenging because the attack surface is much larger. There are large amounts of personal identification information (PII) that must be protected, but this data needs to simultaneously be available for review by staff.”
Part of the problem could also be that for many cryptocurrency exchanges, handling AML and KYC data is a new set of responsibilities. Many platforms have adopted KYC and AML requirements not because of their own choice, but because they have been required to do so by regulators–and while regulators have been clear about the fact that data needs to be collected, there hasn’t been as much focus on how that data should be protected.
There are, of course, some measures in place. For example, an by Proton Technologies AG explained that the General Data Protection Regulation (GDPR), which was intended to increase transparency around data collection and protection for EU citizens, is “is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).”
This “lack of specifics” could be contributing to confusion around compliance, and could therefore also be contributing to a general lack of data safety.
Indeed, Matthew Dailly, Managing Director at Tiger Financial, told Finance Magnates that “safety standards such as GDPR are still useless within the EU. Nobody had a clue how it should be applied when it was first announced, and it still seems to be the case today.”
This regulatory ambiguity around personal data protection isn’t necessarily a problem for each and every cryptocurrency platform. In fact, some have taken the ambiguity as a cue to establish themselves as industry leaders when it comes to personal data processing and protection.
On the other hand, however, the lack of specific regulation has allowed platforms with a lack of priorities around customer data protection to leave data vulnerable.
Therefore, Drew Porter, President and Founder at Red Mesa, told Finance Magnates that users of cryptocurrency platforms should generally consider the data they provide to those platforms to be vulnerable to exposure.
Drew said that while the reasons for this vulnerability “can vary from project to project,” the main cause may be a matter of priorities.
“These projects are focusing on features and scalability and not so much on security,” he said, adding that sources in the industry have said that “‘security and privacy is an afterthought for many, as in the eyes of many it’s about making money.’”
A multifaceted problem requires a multifaceted solution
Therefore, the reasons behind the seemingly high level of vulnerability seems to be coming from at least two different pain points: the complexity of collecting and processing data, as well as the lack of clearly enforced regulation around how personal data should be protected.
Trustology’s Mark Hornsby explained to Finance Magnates that therefore, the solution to the problem is multi-faceted.
To deal with the complexity of processing and storing multiple pieces of sensitive personal data, crypto platforms must evaluate which pieces of information are essential, and which are not: “firstly, companies should always focus on data minimization,” Hornsby said.”The less data you hold on your customers the better.”
Additionally, data that does need to be sent to or kept by companies “should always be encrypted, both in transit and at rest,” he said, adding that “if you only need to make equality comparisons then using an adaptive hash function is an ideal way to prevent the data ever being retrieved.”
“The industry needs to collaborate to ensure that best practice is documented and readily available.”
Another part of the solution to the industry’s data security problem is better communication between platforms on best practices. This could potentially act as a remedy against unclear regulations on data protection.
After all, there have been many examples of self-governance crypto industry entities banding together to create industry standards when regulators were lagging behind: and the , to name some of the more famous examples.
“The industry needs to collaborate to ensure that best practice is documented and readily available,” Trustology’s Mark Hornsby said. “By sharing knowledge and code we can help to reduce the likelihood and impact of a data breach event.”
User education and awareness may be the most important thing
Beyond the company-side of things, however, users must also be vigilant when it comes to entrusting their data to crypto platforms.
Mark Hornsby said that indeed, user education on personal identity safety may be the most important piece of the data security issue.
“Users should be encouraged to adopt good password behavior,” he said, which could mean “using a password manager and a unique randomly generated password per site/application, always enabling 2-factor authentication (2FA), and to consider which pieces of data (and how much) they share with any given service.”
Users should also research the companies that they are entrusting their data with to see if there have been any prior incidents relating to data theft.
“Users should look into reviews, news stories and guarantees when it comes to storing their cryptocurrencies on,” said Tiger Financial’s Michael Dailly. “This means that some services may be more demanding and more expensive than others, but I would rather know that my cryptocurrency is safe rather than going through countless hours trying to claim back what was rightfully mine to begin with.”
At the end of the day, however, there is always going to be some level of risk associated with entrusting data to a centralized third party. Therefore, unless a user is only willing to use exclusively decentralized platforms, personal data is always at the risk of exposure.
“Users can never be sure their personal data is secured properly by the platforms they choose to use,” Decred’s Jacob Yocom-Piatt told Finance Magnates. “By letting someone custody your data, whether we’re talking about private keys or PII, you always run the risk of that trusted third party being hacked and losing control of your data.”