Protecting customer data is essential to your organization’s existence. Failing to put the proper security measures in place can jeopardize your business in myriad ways — from its reputation to its revenue. Plus, a public hack or leak can land your company in legal trouble and cost you millions of dollars.
Of course, in a world where cybercrime worsens by the day and new threats are constantly emerging, few organizations are debating the merits of protecting clients’ data. And with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), you don’t have much choice anyway.
Today, the debate has shifted to how you should protect them — and what you’re willing to compromise in the process. And that’s where it gets murky.
Often, to protect client data, you have to expose personally identifiable information (PII). And given growing concerns around protecting privacy online, this can complicate things. To mitigate the chances of hackers using your end-users’ data, you have to play Big Brother.
Or, do you?
Today, we’re reviewing a few traditional strategies for protecting client data with varying degrees of sensitive data exposure — plus a new method that can help you get the best of both worlds.
Traditional Methods for Protecting Client Data
Businesses that handle client data are responsible for ensuring that data doesn’t fall into the wrong hands. This often means monitoring activity and identifying whether hackers are acquiring and sharing sensitive details across the dark web and alerting them immediately. The sooner you catch shared credentials, the better your chances of stopping an account takeover or other adverse outcomes.
However, monitoring can often feel like an invasion of privacy, even when you’re doing it with the best intentions (like protecting your clients). And sharing PII with a third party, even for monitoring purposes, can create exposure risks.
There are three methods companies use to monitor and protect client data:
- Plain text monitoring: This method works well for known items, like domains, but can expose potentially sensitive clients.
- Encrypted monitoring: This method also works well, but each end-user (such as a client or employee) will need their own account.
- Plain text in-stream: This method is similar to plain text monitoring in that you still expose client details, but only for a short period of time. (In this case, you have to trust your vendor and make sure they don’t record logs.)
In each of these methods, it’s possible to fully identify users — which means the monitoring service you use can see exactly who was compromised and how. As a business leader, this can feel ethically problematic and probably wouldn’t make your clients very happy. But, how else can you protect their data from hackers?
Luckily, there is another option.
Half Hashes are the New Hotness
You may have heard of hashing before — it’s a process of translating data, like PII, into a string of alphanumeric code. (More technically speaking, hashing is a cryptographic, one-way modification.) When something has been hashed, it’s not only harder to identify but also less valuable to hackers. Think of hashing like the Dewey decimal system used in libraries. On its own, a layperson couldn’t look at a string of numbers and be able to identify the book title it belonged to. Likewise, a hashed username and password using a one-way hashing algorithm is essentially just a useless collection of numbers and letters. And better yet, it can’t be reversed engineered.
But half-hashing takes things a step further.
Consider our new Dark Hash Collisions solution, for example. Customers can take end-users’ credentials, hash them, and then take half of those hashes. Then, HackNotice extracts usernames from leaks and builds the same hash by matching half hashes to full hashes. If there are any matches, we’ll provide those hash and password pairs to our clients so they can reverse them and determine who is at risk. This zero-knowledge way of identifying users allows us to help you protect your end-users’ data without you needing to share their PII.
Half hashes have essentially changed the game when it comes to data protection. Instead of forsaking privacy to monitor client data, you can have it all: engage in monitoring to identify when users’ information has been compromised, but without sharing those sensitive details with a third-party provider. It’s a win-win for everyone involved — except hackers.