The most significant data breach of 2016 was arguably the one that didn't matter at all.
What makes it so significant is not what the hackers took, but the takeaway for the rest of us. The hackers were unable to get any customer data, because there was none to steal.
ShapeShift, a digital currency exchange, lost about $230,000 in a series of thefts discovered in March and April. But no customers' funds were taken, nor any of their personal information. Unlike most exchanges, the company holds neither. It simply arranges transfers from one cryptocurrency to another (bitcoin to ether, Dash to Dogecoin, Monero to Zcash, etc.). All users provide is an address to deposit their new coins.
"The only thing we need to know is their wallet address, where to send their asset and which asset they want," said Erik Voorhees, founder and CEO of ShapeShift, based in Zug, Switzerland. "That's basically it." As a result, all the hackers could steal was money from the company stash.
ShapeShift's no-questions-asked model is an extreme example (and a compliance risk). But the fact that its users were unharmed by a data breach underscores a harsh reality that mainstream financial institutions should recognize: Customer data might be a valuable asset, but it is also a huge liability. You could even call it radioactive.
Banks know so much about their customers — not just how much money they have but where and how often they spend it — so they are uniquely positioned to craft targeted offers and advice, the thinking goes. But it is painfully clear that the more information a company has about its customers, the bigger the prize for hackers.
The year 2016 set a record for data breaches. There were more than 900 nationwide as of late November, according to the Identity Theft Resource Center, up from the previous peak of 783 in 2014. The financial services sector had the smallest share of breaches, 4.5%, compared with 7% for government and military, 8.5% for educational institutions, 36.2% for medical and health care and 43.9% for all other businesses.
The toll for businesses goes well beyond paying for a year of credit monitoring. A company can get fined by regulators and sued when customer information is compromised, and a 2015 federal appeal court ruling made it easier for consumers to bring class actions. Estimates of the average cost of getting breached range from $200,000 to $4 million, and that's to say nothing of the blow to a company's reputation.
"I don't think people have seen yet what the implications can be for a bank of a massive data theft," said Andrew Waxman, an associate partner in the financial markets risk and compliance practice at IBM's global business services unit. "People have been lucky so far."
While there have been a lot of small incidents and some significant ones, he said, "I don't think the cost is transparent to people, to the bank or to the economy."
Even if a bank successfully wards off attackers, there's the risk of insiders abusing the precious information they hold. The thousands of Wells Fargo salespeople who created unsolicited accounts for customers, which in some cases entailed accessing the bank's systems to obtain their personally identifiable information, are an example.
Of course, banks have important reasons to collect and hold much of this information. If you're lending money, for instance, you need to know the borrower's income, assets and credit history, and where to find the collateral. On the deposit side, customer information such as a Social Security number, mobile number or IP address helps authenticate the person accessing the account, thus guarding against fraud. Not least of all, financial institutions are required under anti-money-laundering laws to conduct due diligence on applicants before opening accounts.
While ShapeShift may not be gathering information on its customers to the extent that a bank or even a money transmitter does, Voorhees points out that it publishes every transaction, which the authorities can use to trace funds through the blockchains of various currencies. "We don't pull in data we don't need," he said. But "we don't hide anything, we don't obscure. We've tried to meet the noble goals of regulation but in a way that's appropriate for a digital economy, versus how banks worked in the 1950s."
Apart from tightening up cybersecurity — which regulators are also demanding — this environment calls for a new mindset. A simple option would be to collect only what you absolutely have to in order to run the business and be compliant, and dispose of it as soon as you safely and legally can. And for heaven's sake, encrypt it all, no matter how strong your vendors tell you their security software is.
Waxman suggests that companies think about their strengths and weaknesses in managing various types of data (not only customer information), just as they would look at their financial assets and liabilities. A liability on a "data balance sheet" could be a poorly maintained list of who can access back-office systems, or a manual process involving spreadsheets (easily doctored by rogue traders). These vulnerabilities would be netted against data assets, such as well-guarded and well-leveraged trade secrets, and companies should aim to come out ahead.
If the results were reported to investors, regulators and consumers, such an exercise would create a stronger motivation for banks to make investments in data quality and protection, Waxman argues.
What if companies took the idea even further — by recognizing customer data, with all its risks and rewards, on both sides of the actual balance sheet? Court rulings since the 1970s have treated bank records as the bank's property under the "third party doctrine" that justifies U.S. government snooping. But as Europe's regulators push banks to make data portability easier, and the Consumer Financial Protection Bureau makes similar rumblings here, it's plausible to imagine data as something owed to the customer — like money in a CD.
"It would freak banks out to realize that some of that data they're about to monetize is not purely their own," said Pascal Bouvier, a partner at Santander InnoVentures, the Spanish banking giant's venture capital arm.
Perhaps, but that's how many customers already feel.