If you didn't store valuable data, ransomware would become impotent Sixteen years ago, British mathematician Clive Humby came up with the aphorism "data is the new oil". Rather than something that needed to be managed, Humby argued data could be prospected, mined, refined, productized, and on-sold – essentially the core activities of 21st century IT. Yet while data has become a source of …
If data is to be sold valuing it shouldn't present any problem at all. It's based on what customers* are prepared to pay for it. Ironically the data that's hard to value is that held by businesses who are more ethical and don't sell it on.
* That's the data customers, not the customers who are mere data subjects
As far as I can tell, it's aimed at companies that don't do anything. Sure, a company asking users for permission to get data from them and not store it sounds great, but for privacy reasons not for ransomware protection. No company that's willing to bypass restrictions on data collection is going to take that approach because they don't want users to have privacy from them. However, none of that matters, because whether they get user's data from them or from storage, they'll still have valuable data of their own. Their financial records, the code they analyze data with, their communications and contracts, and all the other data generated by the process of doing business is valuable to the company and not owned by someone else. They don't have the option of asking their customers for that because it's not the customers' data, so ransomware still has something to take from them.
The solution to ransomware is not some mythical privacy-supporting process, as nice as that would be. It's a good set of backup arrangements. There is no way to avoid having to back up your data if you want to have it later.
So instead of holding all your customer's data centrally the idea is to store it de-centrally and somehow this protects from ransomeware attacks?
1) Ransomeware will evolve to encrypt the remotely held data.
2) The author assumes that the only valuable data a business has is its customer database. What about payroll, tax payments, bank information, product designs, supplier contacts and details etc.? There's plenty of data that a business needs to survive which is not linked to customers.
There's a lot of data a business needs to survive. It's their data and possibly they may be a little more motivated to look after it. Maybe they won't but if they suffer a breach it's just their problem.
If it's customer data it's a lot of other peoples' problem. The significant difference there is trust: the customer's trust the business and the business fails to live up to that trust despite all the protestations about that after the event.
As to decentralising data, the general thrust of the article seems to be that it's the customer who looks after their own data. Let's say I want to order something online on this basis. What needs to happen in data handling:
1. I select what I want to buy, I go to the checkout page. I enter my name and delivery address. That's in my own memory where it's not open to a ransomware attack.
2. I enter my bank account details which I copy from my hard copy bank card. This may well be verified by the bank's own pop-up app. The bank already holds my details, that's inevitable. I hope that my bank is a lot more secure than the average retailer. It's not 100% but ultimately it's the bank's problem if they're not, they're regulated more effectively than the retailer. That last statement is worth reflecting on.
3. The bank confirms the purchase to the retailer.
4. The transaction is confirmed back to me on screen, possibly offering a PDF to download and I can take a note of that. No email is needed. I am, however, holding my copy of that, possibly on my computer although I could make a written note or print the PDF.
5. The retailer prints a picking/despatch note and a shipping label.
6. At this point the company doesn't really need to keep personal information online any longer and can delete it. A summary of the transaction without these details can stay on their system.
7. When I receive the goods I can retain the packing note and delete any reference to it on my computer or retain it at my own risk - I'm not placing anyone else at risk.
Before anyone gets het up about needing to keep this in case of delivery problems, warranty claims etc. they have this on the picking note with the personal data on it; once delivery is confirmed they can dispose of that. If I have a complaint down the line it's up to me to produce my copy of the despatch note or the electronic copy of the order acknowledgement if I chose to keep that.
The retailer's holding of my PII is limited to the time needed to print out the paperwork. My holding is at my choice. The long term holding of information by the retailer is more or less what they'd have held if I'd walked into a shop and paid cash for the item, a business model which has worked for a few thousand years.
If your business is an online shopfront with no obligations to the customer and nothing more you can make this sort of distinction. That's fine if you're selling scented candles but what if...
You're selling new cars. There's a load of data you've legally got to have for service and product recalls.
You're providing financial services. You've got to know your customer well enough to meet anti-money laundering and tax legislation, and your customer may well expect you to provide personalised service.
You're providing legal services. Like financial services except now add holding legal documents for the customers.
You're providing medical services. Now the customer data is stuff you have to hold, customers may have to have access to it (depends on jurisdiction and the exact business), and losing it is bloody terrible.
Sure, there are businesses which can get away with having an online orders server which talks to nothing else, or a service provided by someone else for that, but I think more will be like the above.
This is the kind of argument that normally appears before someone tells you that Web3 will solve everything. Early web technologies such as PKI, web servers, email, etc envisaged high levels of decentralization, with everyone running their own web server, managing their PKI trust chains, etc. People don't want that. Cryptocurrencies and NFTs are already showing us that if you leave end-users to control their own security permissions they get scammed left, right and center. Giving people even more fine-grained permissions and asking them to take responsibility for managing that themselves is a recipe for disaster.
The author assumes that the only valuable data a business has is its customer database
I was thinking the same, just from reading the headline. An ex-employer of mine got hit with ransomware a while ago. They ran an e-com platform, which didn't actually store any data beyond a customer's address and order details. And that data was secure on a web server, segmented from the compromised internal network. No, the biggest damage that the ransomware attack did was the cost incurred from loss of production while the network and machines were cleaned of the nasty and restored from backups. The second biggest damage were some proprietary product design files that had been backed up to an online NAS disk. It being online, it was also compromised of course. There were offline backups of these files, but they were months old and nearly useless.
Neither of these issues would have been helped even slightly by "getting the customer to store their own data". As a course of action, it wouldn't even have been relevant.
This post has been deleted by its author
"Let your customers hold their own data, and ask them for (limited) permission to use it."
AKA "Give the responsibility to the person with the least amount of knowledge and ability to deal with it and pretend you have solved the problem because it's no longer yours.".
Sheesh.
Co-incidentally, I have literally just finished doing my company's Data Protection course. After reading this article I see the course in a much better light...
And it's widely known that most cyber attacks tend to start with some form of social engineering. It's amazingly easy to persuade someone to part with some of their sensitive information. At least large companies tend to train their workers to be resistant to these kinds of attacks (yes, I know some don't. And that the training isn't always effective).
The above is a pretty good analogy, if you substitute the humans for machines. In a centralised location, you can take co-ordinated steps to secure data. If that data is spread amongst customers' machines, it's a more diffuse but an easier compromised target. And, potentially, an attack vector.
This post has been deleted by its author
"Businesses now face not just data loss but data theft
In English law at least, loss and theft have the same outcome, as theft is defined as to 'permanently deprive' the victim of the asset in question.
We really should start to distinguish between loss and exfiltration. 'Loss' means the data is no longer available to the victim (as in the legal definition of theft) but exfiltration does not. Data may be exfiltrated by copying it, while still leaving the original available to the victim.
The difference is legal,
Data Loss - the data is gone but no-one unpermitted has it.
Data theft - the data is in the hands of a 3rd party that is not permitted to have it normally.
This argument is essentially an argument based on limiting the liability of a company and very little to do with protecting data. If someone gets that far into your systems, they would be able to put monitors and keyloggers on your website and steal the data direct from the customers anyway using a MITM attack between the site and the payment processor.
If you stare at anything long enough, blockchain emerges as the solution.
Kidding aside, this is rather pointing towards a world where I own my data, which I permit companies to make restricted transactions upon. A block-chain like structure may be a viable way to enable those transactions.
Let's settle for something easier. How about a standardised name and address entry form? For those who really can't - or can't be arsed - to type it in themselves they could have a matching text file and copy and paste it.
Yes, I'd put myself in the second category.
It would need some thought: no assumption that everyone lives in a "city", not assumption that all street addresses have a number and no assumption that postal codes are numeric.
Is everyone has all the data. May seem crazy but stick with this thought for a moment:
In this situation if I need to prove that you are who you say you are (lets say for purchasing) - then I can use as much of the data as I want to satisfy myself that not only are you that person you say you are but you also have the means and funds to purchase what you want. That purchasing record then becomes another piece of data that everyone has access to. This omni-data model would initially need to be inviolate (well at least cascade change proof) (blockchain all over again) - but as contradiction cannot exist in nature the data would self-correct as more is collected.
Ransomware only exists because companies and individuals hold data no one else has got - if we all have it all there is nothing to ransom.
And if this omni-data is used nefariously - well that becomes part of the data and the nefarious agents become visible for all to see....
Hmm might have overdone it with the meds.....
"Hmm might have overdone it with the meds....."
You might indeed. The value of PII isn't that only the data hoarders hold it, it's that it is unique for a given individual. The value to the data subject is intrinsic and not determined by the number of people holding it.
I can't off-hand think of a closer equivalent but this will do: it's like saying that if everyone were burgled then nobody's any the worse off because everyone else is in the same situation.
Or, not related to the OP's topic, but also a stupid thing that companies say that I like to rephrase within the analogy of burglary and then repeat back to them, is something akin to "we don't need alarms/locks/doors/to hide our valuables/to reduce the number of unnecessary valuables we have; burglary's against the law so it can't happen to us, and if it does the perpetrator will go to jail".
It's not a model that's unheard of. I'm somewhat of the opinion that everyone's healthcare/genetic data should be fully accessible to anyone who wants to see it, as anybody from doctors to script kiddies would be able to mine it for patterns and we'd hopefully be able to propose formal studies and trials that had a lower chance of failure, meaning lower drug prices/decreased mortality. However it would also have to be the case that there was no stigma surrounding medical/mental health conditions (opening it all up would hopefully accelerate the reduction of such stigmas, but not eliminate them) and that it would only be used for good (e.g. not selling people stuff/making outrageous profits from healthcare, no genocide, no eugenics etc). People would only be less prissy about their data if all those conditions were met, which is certainly not a possibility given current evidence; and furthermore even if you could trust everybody right now the potential risks would still be there. Once you'd opened the door there'd be no going back except for new data.
Completely open healthcare data is a common enough pipe dream that it's mentioned in some of the NHS documentation about data protection/consent regs — essentially saying that there are plenty of people who don't care who has access to their healthcare data, but you still have to get their consent to use it or transfer it for the most part (this predates whatever the hell shady crap happened last year where they tried to change the rules on the QT).
That is never going to happen, at least the "no stigma" part. It's also insufficient. You don't only need to remove stigmas about medical history, but every single possible bad use of the data. For example, use for discrimination, tracking, or impersonation. Eliminate all of those and we can talk. Until you have done so perfectly, I will oppose this suggestion in every way I can.
There speaks someone who doesn't know what can be done with your data. If you've ever had a chance to tell someone something and didn't, you should know why we don't want every action we've ever taken to be publicly recorded for everyone to use. Take a simple example from your own data: if all our financial records were available, it would easily lead to people using them to decide what we can be paid or charged. An employer would look at our purchasing history and decide we don't need a raise and in fact could take a pay cut without harm. A store could look at it and decide that we can easily afford to pay more for the product. That's just a simple algorithm, and I assure you there's much worse to do with that data alone.
By the way, nefarious uses would not become easily obvious, because an attacker would read the publicly-available data and approach their target offline for whatever use they had in mind. Unless you want all conversations recorded and uploaded, there will be ways to hide some things. If you do want them all recorded and uploaded, you assume that someone will listen to all of them to identify unethical activities even though it would be infeasible, and you have a very bad understanding of how that can cause problems. I'll assume you weren't going that far. In short, your suggestion is infeasible and fragile, which is at least somewhat reassuring because, if implemented, it would be dangerous and frightening.
Let your customers hold their own data, and ask them for (limited) permission to use it
If I order something, they're going to need to remember my address to ship it to me.
They're also going to need to remember my phone number or email, in order to update me on the progress or resolve any issues.
That's the valuable data a business is built upon.
But customers are lazy. We all flock to the "let us store your data securely, so you don't have to" services. Refusing to store it means we will just use some other more convenient but less ethical service.
Then again, with the modern trend fort web browsers to open their souls and assholes to every prying bit of XSS javascript out there, combined with the WWI-pilot life expectancy of the average teenager's iPhone, who in their right mind will store their data locally?
Nothing financially valuable on the home PC. Do have a lot of photos, videos and (bad!) reason projects that I would like to be able to go back to.
There's a reason I keep multiple backups on different media types.
The work machine on the other hand, were ransomware to get out into the wild through that and disrupt something important that would be headline news. Assuming the news were still functioning that is...
"...your inability to keep private data private... Who will want to do business with you in the future?
In an ideal world, no one, but in this world, we neglect to euthanize the apathetic, as Fecesbook's stunning worldwide membership total proves.
Piss-poor and absent privacy laws result in quick (news, today; forgotten, tomorrow), PR-spun, minimum-disclosure, minimum-consequence rebounds for all security-breached businesses, from mega-retailers such as Home Depot to essentially unregulated credit-bureau cartels, including members such as Equifax.
An apathetic public continues to shop just as before at breached Home Depot, Michael's, Target, [insert long list, here], etc., and remains ruled by Equifax et al.
As long as America's Injustice System pats itself on the back while Big Biz lobbie$ corruptible lawmakers, you and your data will be raped.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
