Blockchain could hold key to fighting data leaks

By Dylan Bushell-Embling
Friday, 20 January, 2023

Blockchain technology could hold the solution to the growing scourge of data breaches targeting Australian organisations and the data they hold on individuals, according to an expert from UNSW Business School.

Dr Eric Lim said that while the trend following the high profile data breaches of organisations operating in Australia such as Optus, Medibank and MyDeal is to call for governments to fund awareness campaigns aimed at Australian citizens and residents, pawning off responsibility for keeping data secure on individual victims is not the answer.

“It is too easy to shift the blame of these breaches to the employees while speaking nothing of the increasing desire of all organisations to hyper-centralise the data of their employees and their customers,” he said. “But the overwhelming chances are such breaches will again happen down the road within the current cybersecurity paradigm.”

Centralising data creates a single point of failure and major security risk that enterprises and organisations must address, Lim said. The solution could be to rethink the management of sensitive customer data, he said.

“What if, instead of centralising the data in an alluring honeypot, we allow each employee and customer of these organisations to hold on to their own data? We could skip over this single point of failure by decentralising the data and give each customer and employee sovereignty over their own data points, using blockchain-enabled Decentralised Identity (also known as DID),” Lim said.

“This means instead of a company holding all the customer’s data in an alluring one-stop info-shop, everyone is tasked with maintaining sovereignty over their own data.”

The proposed DID model would have three basic components — the individual, the issuers of digital credentials and the verifier.

The individual holder would accumulate pieces of information associated with their economic identity known as digital credentials, such as drivers’ licences, education certificates and passwords, that would be issued by the relevant authorities and digitally signed on the blockchain and stored by the individual.

The verifier would meanwhile be able to request specific information associated with the digital credentials in exchange for services rendered.

“In the entire process, the digital signatures are specific to the particular instantiation of the information transferred and cannot be replicated by anyone who does not possess the respective private keys, therefore preserving the authority of the individual holder to have sovereignty over their own privacy,” Lim said.

The proposed model would have downsides, such as requiring individuals to assume responsibility for keeping their devices secure, Lim noted. “This means, no leaving their private keys written down, lying around for attackers, and avoid undertaking risk behaviours like accessing keys on a web browser when on public W-Fi,” he said.

“But I am a strong believer that we need to reflect on our incentive system when it comes to cybersecurity. If the incentive system is wrong, no amount of compulsion or exhortation or education from a higher power will change an individual’s behaviour.”

Image credit: iStock.com/matejmo