Recently, a shocking news about the exposure of personal data of users of the world’s most popular applications has rocked the internet. These applications include X, TikTok, LinkedIn, Coinbase, eToro, PayPal, Fiverr, Upwork, Bumble, Uber, and more. The company at the heart of this breach is AU10TIX, based in the suburbs of Tel Aviv, specializing in identity verification through personal documents and biometrics. This incident not only exposed a vast amount of sensitive user information but also sparked a debate on how to secure applications while protecting personal privacy.
Incident Overview
In December 2022, a security researcher discovered the exposed credentials of a manager at AU10TIX’s network operations center. These credentials included the manager’s passwords and various account tokens, which gave access to AU10TIX’s log platform where the company processes reviewed personal data, including names, birth dates, nationalities, and images of driver’s licenses and passports. Additionally, proprietary data about their verification technology was found, such as real-time facial scan results and document authenticity measurements. Alarmingly, this data was published on Telegram in March 2023 and has been exposed for over a year.
In a statement to 404media, AU10TIX initially claimed that “after thorough investigation, it was determined that the employee credentials were illegally accessed and immediately revoked.” However, when the publication informed the supplier that these credentials were still exposed online as of this month, the company stated they would work to close the exposed logging system and claimed to have notified affected customers, emphasizing that “based on our current investigation, we have found no evidence of this data being exploited.”
The Dilemma for App Users
Today, users of cryptocurrency, payment, social media, and dating apps are often required to hand over highly sensitive information and documents to prove their identity. However, they have no control over how this information and these documents are processed and stored. This dilemma raises the question of how to secure applications while protecting personal privacy.
Balancing App Security and Personal Privacy Protection
Jason Soroko, Senior Vice President of Product at Sectigo, suggests that companies can adopt various methods to verify identity, minimizing the need to store sensitive files and personal identification information:
1. Tokenization
Tokenization involves storing tokens or hash values representing the documents instead of the actual documents. This reduces the risk if the storage system is compromised, as attackers would only obtain meaningless tokens or hash values rather than the actual sensitive information.
2. Zero-Knowledge Proofs
Zero-knowledge proofs are a cryptographic technique that allows one party to prove to another that they know a value without conveying any information other than the fact that they know the value. This method can verify identity without exposing actual data, thereby protecting user privacy.
3. Decentralized Identity Verification
Decentralized identity verification uses blockchain technology to enable users to control their identity information and share only the necessary parts with services that need verification. This method not only enhances privacy and security but also gives users more control over their personal data.
Conclusion
The large-scale data breach incident has highlighted serious vulnerabilities in current identity verification security. To secure applications while protecting personal privacy, companies need to adopt more advanced and diverse identity verification methods. Tokenization, zero-knowledge proofs, and decentralized identity verification provide new approaches that can enhance security while reducing the need to store and process sensitive information. However, the implementation of these methods requires caution and ongoing management to avoid introducing new vulnerabilities.
In the future, all companies involved in data processing and management must strengthen security measures to protect user data from unauthorized access and breaches, ensuring that users can enjoy the convenience of digitalization while their personal privacy is maximally protected.