The true cost of a data breach

Cyberattacks are becoming more sophisticated & stealthy, regulations stricter, and data volumes are soaring. Breaches often lead to financial losses, damage reputations, and erode customer trust. Robust data security has become not just a legal requirement, but a business imperative.

To underscore the importance of data security, let’s examine some recent financial services data breaches:

• Capital One (2019): Exposed the personal data of over 100 million customers.
• Experian South Africa (2020): Breached sensitive information of 24 million South Africans and nearly 800,000 businesses.
• Morgan Stanley (2021): Compromised the private data of many clients due to a third-party vendor’s security lapse.

According to IBM and its Cost of a Data Breach Report 2023 the global average cost of a data breach was $4.45 million, an 15% increase over the past 3 years. Far beyond financial losses, each example above resulted in significant reputational damage, erosion of customer trust, and operational disruption. 

However it’s not just the financial magnitude of security breaches that is on the up, but the time it takes to detect the breach in the first place. In the same report, IBM found that it took an average of 204 days to identify a data breach and another 73 days to contain it, a three-day increase from 2022. The impact of such a delay is notable. Breaches resolved in less than 200 days cost $3.93 million on average, while those lasting longer soared to $4.95 million on average – a 23% difference.

What can be done? 

The financial sector already invests heavily in data security to limit the risk of data loss or breaches which often comes at the cost of innovation and data collaboration with other institutions, particularly in areas like fraud detection, which could benefit greatly from data sharing. For instance, according to Splunk’s article ‘IT Spending & Budgets: Trends & Forecasts 2024,’ global spending on security and risk management is expected to grow by 14.3% in 2024, reaching $215 billion, up from $188.1 billion in 2023.

This suggests that the issue does not lie in the investment, effort, or intent, but rather in the inadequacy of current cybersecurity technologies to defend against increasingly sophisticated and insipid attacks.

The advent of Privacy Enhancing Technologies (PETs) marks a new chapter in data security, providing banks with enhanced protection to minimise breaches and their detrimental effects. PETs also offer valuable solutions that facilitate more collaborative data use. Two such PETs, Data Tokenization and Fully Homomorphic Encryption (FHE), offer powerful data protection in both thwarting attacks and limiting the damaging impact of a breakthrough while ensuring the persistent maintenance of data privacy. 

In this article, we explore how these technologies synergize to advance banking security and potentially change the outcome of breaches, such as those at Capital One, Experian South Africa, and Morgan Stanley.

But First, Understanding Data Tokenization

Data tokenization in banking replaces sensitive data elements, like credit card numbers or personal identifiers, with non-sensitive tokens. It is primarily used when data is at rest, and during some forms of processing or analysis. By substituting sensitive information with tokens, data tokenization protects essential data, making stolen tokens useless to attackers. This is crucial for maintaining trust and security in banking transactions.

Tokens can be categorised into:

• Informationally Inert Tokens: These hold no intrinsic value outside specific contexts, like a card number pointing to an account.
• Informationally Weighted Tokens: These carry significant information, such as age or income, allowing for secure computations and analysis.

By replacing sensitive information with tokens, banks can ensure that even if a breach occurs, the stolen data is rendered useless to attackers.

Understanding Fully Homomorphic Encryption (FHE)

While data tokenization is a powerful tool for safeguarding data at rest, it does not fully protect all cases where data is in use. This is where FHE comes into play. FHE allows computations on encrypted data without decrypting it, ensuring that sensitive information remains protected even during transmission. This means that data remains encrypted throughout its lifecycle, enabling secure analytics and informed decision-making, all while supporting adherence to privacy regulations. 

How FHE and Tokenization Complement Each Other

Merging FHE and tokenization provides thorough data protection:

• Tokenization: Secures data at rest by replacing sensitive data with tokens. Recognised in standards such as PCI DSS and GDPR for enhancing security and reducing compliance scope.
• FHE: Protects data in use by enabling computations on encrypted data without decryption, maintaining utility for analytics while ensuring security.

In big data environments like data lakes, tokenization allows secure storage and analytics by replacing sensitive data with tokens. For example, tokenizing a client’s date of birth allows for age-related calculations (e.g., when assessing eligibility for a financial product) while safeguarding the original date. This approach transforms threat modelling and risk evaluations by reducing the impact of data loss and enabling secure data collaboration through methods like Private Dataset Intersection.

Combined with FHE, this method can provide secure insights while maintaining data privacy. For instance, machine learning on FHE-encrypted data opens new possibilities for secure analytics, useful for fraud detection, risk assessment, and personalised services. Federated Machine Learning can benefit from FHE by protecting data or intellectual property while enabling collaboration.

Overall, the combination of tokenization and the potential of FHE offers robust security for banking, enhancing data protection, collaboration, and secure analytics.

Could Tokenization and FHE have prevented these breaches?

While tokenization wouldn’t have prevented the attacks, it would have limited the impact by making stolen data difficult to monetise. However, combining tokenization with Fully Homomorphic Encryption (FHE) could have provided a fail-safe solution. Tokenization secures data at rest, and FHE protects data in use, ensuring that sensitive information remains protected even during processing. This combined approach would significantly enhance overall data security in banking, making breaches far less rewarding for attackers and more challenging to exploit.

Some Real-World Applications

Tokenization helps banks comply with data protection regulations such as PCI DSS and GDPR by reducing the storage and transmission of sensitive data. In big data environments, tokenization and FHE protect sensitive information while maintaining its utility for analytics. By replacing sensitive data with tokens and encrypting it with FHE for secure computations, banks can not only securely store and analyse vast amounts of data, but externally exchange and collaborate over data with as much security as if the data remained entirely within their systems. Furthermore, FHE allows banks to perform machine learning computations on encrypted data, ensuring that sensitive information is never exposed. This is particularly valuable for fraud detection, risk assessment, and providing personalised services while maintaining data privacy.

Implementation Strategies for Banks

Implementing FHE and tokenization in banking systems requires a strategic approach:

• Assessment of Needs: Identify critical data elements that require protection and assess specific regulatory and compliance requirements.
• Selection of Technology: Choose appropriate tokenization and FHE solutions that align with security and operational needs.
• Integration and Deployment: Ensure seamless integration into banking systems and workflows, minimising disruption and maximising efficiency.
• Continuous Monitoring and Updates: Regularly evaluate and update security measures to address evolving cyber threats and regulatory changes, ensuring ongoing protection of sensitive data.

The Future of Data Security in Banking

As cyber threats grow more sophisticated, banks need to invest in advanced PETs, like tokenization and FHE. These technologies offer a strong defensive strategy, significantly reducing the financial impact, duration, and reputational damage of breaches. Through adoption of these technologies banks unlock huge opportunities for secure data analysis and collaboration across the financial industry. This proactive approach strengthens the overall resilience of the banking sector against attacks.

What We Do 

Optalysys is building the future of secure compute to enable the new data economy.

We are on a mission to transform data from a vulnerable target to a valuable asset. Our novel use of silicon photonic hardware accelerators enables performant, scalable Fully Homomorphic Encryption. Our technology powers the world’s most robust data security solutions that do not cost the earth they serve.