Most people most of the time think we’re crazy, that our approach to data security is frankly too much. But this past week, when Capital One announced a data breach that exposed the private data of more than 100 million unsuspecting consumers, I was reminded of why we take the approach we do — and why the world will eventually come around.
Capital One and Amazon Web Services (AWS) — the infrastructure provider for Capital One, SurveyCTO, and many of the other companies and services you know and trust — blame a “misconfigured firewall” for the breach.
Question #1: Why is there only a single very-complex-to-configure firewall sitting between hackers and private data as sensitive as social security numbers and dates of birth?
It then emerged that the alleged hacker is a former AWS employee. As yet, I haven’t seen any claim that she learned about potential or actual vulnerabilities while on the job at AWS, but it raises an important question about AWS employees.
Question #2: What level of access do the multinational fleets of highly-technical AWS employees and contractors have to data housed on AWS systems?
When we push SurveyCTO users to encrypt their sensitive data using their own private encryption keys and bend over backwards to ensure that we never see those private keys, it’s not because we don’t necessarily trust ourselves to treat that private data responsibly. Of course, we think quite highly of our team and the measures we put in place to safeguard private data. But humans being humans and computers being computers, mistakes do happen. And we rely on providers like AWS to provide cost-effective cloud infrastructure for our services, which means that there are many more humans and many more computers added into the mix — all of which can be points of failure.
Our commitment to and advocacy for private-key encryption methods stems from a deep desire to safeguard sensitive data, to inoculate it against potential points of failure or exposure.
If you’re a SurveyCTO user and haven’t been making full use of our encryption features, let this Capital One breach be a reminder to you. And if you haven’t been using a data-collection solution that makes it easy to strongly encrypt your data, consider switching to a solution like SurveyCTO.