Reducing data breach risk through the ‘datensparsamkeit’ approach

Software design firm Thoughtworks is urging companies to avoid storing large amounts of unnecessary personal data, following recent data breaches at Target and Neiman Marcus in the United States.

Datensparsamkeit, as it is referred to in ThoughtWorks’ latest Tech Radar, is a German word that translates into data reduction, meaning only storing data that is considered necessary for business as opposed to storing everything and anything that might be useful. By reducing the amount of personal data collected and stored, the risk of an attacker getting a hold of that data also reduces as it no longer exists.

ThoughtWorks' director of technology, Scott Shaw, gave an example of an online retailer that only stores the first two or three octets of a customer’s IP address to reduce the risk of a breach.

“It’s not necessary to store the entire IP address to get some information. When segmenting and classifying a customer through an IP address, it’s really enough to know it’s the same IP address from one visit to another,” he said.

Sam Newman, a consultant at ThoughtWorks, said companies can still reap the value in targeting products and services to customers without having to collect endless amounts of metadata.

“Say you are targeting an offer to a person or a group. If you know roughly the area they came from – even though a post code is broad – it still tells you things about the area they come from. You might not need any more than that,” he said.

“I worked with one market research company and they actually went further than that [only storing part of an IP address]. Every single month they completely changed the algorithms of the identifier [of a user]. So they only ever tracked a person for a period of a month and could never get very fine details on where that person was. They didn’t want to get too specific; they didn’t need to know the exact address, a postcode was good enough.”

Shaw said location tracking on mobile phones is one of the most useful pieces of metadata a criminal can have on a person.

“That’s part of this metadata that we continuously hear about that’s being collected. People can’t really give consent unless they are informed about what the ramifications are, and I don’t think the public really understand how much information about themselves they are giving over to a retailer in order to receive the service that they want.”

“I think it’s also about plausible deniability,” adds Newman. “I don’t think any of the companies in Australia want to have to give their information to governments or third parties, and they certainly don’t want the risk of that information falling into the wrong hands and then getting in trouble. If you don’t store it, you can’t be asked for it and you can’t get into trouble.”

PCI compliance is not a safety blanket

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is always going to lag behind new technologies, so no company can assume it will be 100 per cent secure by simply abiding by the standard, Shaw said.

“Just because you achieve PCI compliance, doesn’t mean – and Target illustrates this quite well – you necessarily understand all the risks and have addressed all of them. It’s up to companies to take ownership of that.”

Newman said PCI compliance has become a sort safety blanket for many companies. “Do you think a single one of Target’s customers care if they were PCI compliant? No, it’s still Target’s fault.”

With the amount of Internet-connected devices growing, Shaw said there are going to be a lot more vectors for attack then before, and PCI may not stack up to the level of security needed to prevent sophisticated modern day attacks.

“While people have enthusiasm to adopt Internet-connected things and they offer a lot of innovative possibilities to businesses, there are no standards currently for those devices,” he said.

“I think the point of sale device breach is really interesting in light of the Internet of Things. Just because it doesn’t have a screen or a way to interact with it other than swiping a card through it, doesn’t mean it’s somehow secure and sealed.”

Follow Rebecca Merrett on Twitter: @Rebecca_Merrett

Follow CIO Australia on Twitter and Like us on Facebook… Twitter: @CIO_Australia, Facebook: CIO Australia, or take part in the CIO conversation on LinkedIn: CIO Australia