How data leaks from Coinbase, BitMEX, and Binance pose a bigger question
“If you get something for free, you should know that you’re the product being sold”
With the advent of the Internet, the world shifted from ‘Health is wealth’ to ‘Data is wealth;’ and with this, the Internet quickly changed from being a place where one gains access to information to a manipulating blackhole. Does the Facebook Cambridge Analytica fiasco ring any bells?
Notably, 2018 was not just about the Facebook scandal. In fact, there were several other reports about data mismanagement that were brought to light, with top corporations being blamed for not taking necessary measures required to protect user data. Some unethically sold data to third-parties with the intention to make a quick buck, while others fell victim to attack vectors.
Even a study by the Identity Theft Resources Center stated that at least three data breaches happen on a daily basis, and according to a study by QuickView Data Breach, the first six months of 2019 recorded 3,800 publicly disclosed breaches, amounting to 4.1 billion records being compromised.
Now, the main purpose of data collection is usually purported to be the promotion of advertisements. However, the ulterior motive behind data collection is in managing day-to-day business and business analysis; and this is one of the reasons why data is considered the king of all.
Information such as age, gender, and location play a vital role in determining the target group and for the expansion of the business itself. In fact, financial information and social media activity allow a company to know you better than you know yourself.
The cryptocurrency space, while claiming to be the stark opposite of traditional marketplaces, is no exception when it comes to data breaches. This year alone, three of the leading exchanges fell victim to data breaches. The ones in question include Binance, Coinbase, and BitMEX.
“Ignorance is bliss” ~ Thomas Gray
Even though we’re reminded about the constant misuse of our data on a frequent basis, there are only a few who actually pay any heed to the policies set by companies whose services we all avail. Be it a paid service or an unpaid service, most of us just choose to check the “I agree” box without bothering to even read a single sentence of what we’re agreeing to, or thinking about the consequence a data breach could have on our lives.
However, on the flip side, when a financial institution encounters a data breach, it’s a whole different story altogether and differs depending on the information the company has on its customers.
In the cryptocurrency space, the information that is usually asked by a financial institution varies as per the services provided by the platform. For a cryptocurrency exchange, it depends on whether it is a regulated exchange or an unregulated exchange, and whether or not it has fiat on-ramps.
In an email to AMBCrypto, Oz Mishli, VP of Products at Unbound Tech, said,
“Handling of user data in an era where data is an asset and often monetised by fraudulent parties is very challenging for any organisation, let alone financial organisation, to keep their users’ data safe and private. To that end, cryptocurrency exchanges, especially the large and dominant ones, are no different.”
Here, information can be segregated on the basis of users’ trade activity, location, time, age group, and financial standing – the most important data. This information is later used to promote already existing services available on the platform, while also being used to build new ones based on customers’ previous activities on the platform.
It is also used for mergers and acquisitions. Interestingly, the main focus behind collection of data is often claimed to be for providing better services and to abide by the rules set forth by regulatory bodies.
For example, Coinbase’s privacy policy, last updated on April 11, 2019, states that customers’ data would be used “to facilitate corporate acquisitions, mergers,” and the only way to opt-out of the term is by opting out of the exchange itself.
Interestingly, most top exchanges don’t just stop with the data collected from its users; they also collect information on its customers from 3rd party sources to verify customers’ identity by comparing it with other databases and public records. This, however, is usually used to verify one’s identity in order to comply with regulatory authorities.
“Data privacy and security is about much more than keeping hackers at bay” ~ Deloitte
But, what happens when a platform that has all your personal information and financial information encounters data breach? Well, in short, it’s not good news for both parties. Given how cryptocurrency exchanges are the honeypot for hackers, it would make their job easier.
Coinbase, one of the largest cryptocurrency exchanges in the United States, comes to mind when we speak of data mismanagement. During an interview with Cheddar in March, former Head of Sales, Christine Sandler, revealed that the platform’s third-party service provider had leaked its customer data to other businesses, causing a huge uproar in the cryptocurrency market. She had stated that it was the main reason for the company acquiring Neutrino, a much-criticized acquisition in the market.
“Our current providers were actually selling client data to outside sources and it was really compelling for us to get control over that and have proprietary technology that we could leverage to keep the data safe and protect our clients”
On the subject of the same, Mishli told AMBCrypto,
“The dangers to users of cryptocurrencies following a data breach are varied; the option of leveraging data from a mass data breach for directly targeting exchange users’ with a targeted attack like redirection to a phishing site or malware infection is definitely feasible”
Binance, the largest cryptocurrency exchange in the world, is also no stranger to this matter. Along with losing 7000 Bitcoins to a hack, the exchange was also caught up in media frenzy over the Know-Your-Customer data leak, potentially affecting thousands of individuals who sent KYC information in 2018 and 2019.
However, the exchange cleared the air later by stating that the leak did not happen from the exchange’s side, highlighting that it could have been from a 3rd party service provider whose services Binance had availed during the peak season. Binance had stated in a blog post,
“First and foremost, there are inconsistencies when comparing this data to the data in our system. At the present time, no evidence has been supplied that indicates any KYC images have been obtained from Binance, as these images do not contain the digital watermark imprinted by our system.”
BitMEX, the biggest Bitcoin derivate platform, on the contrary, dug its own grave after its users’ email IDs were leaked when the exchange sent across a notification. With respect to BitMEX’s case, Mishli said that the attack vectors could be divided into two,
- Fraudsters attempting to access victims’ accounts, mainly by using compromised password DBs from past breaches [and relying on password reuse by the victim across different services]
- Fraudsters initiating a targeted attack like phishing campaign or malware campaign targeting BitMEX specifically
- Is likely to come first as it is a lower-level attack that is easier to pull off by less sophisticated attackers. According to BitMEX, such fraud attempts indeed took place, and it seems that they’re being controlled and blocked by BitMEX.
- Is likely to come later as it requires more thorough preparation and stronger skills, however, enables much more significant gain as it could deploy sophisticated attacks at scale to many leaked users [e.g. capable of bypassing 2FA].
“I think, in general, data protection really matters” ~ Aneel Bhusri
While major exchanges have taken necessary steps required to protect user information, steps such as maintaining physical, electronic, and procedural safeguards, and PCI scanning, this year has proved that these measures alone do not suffice. According to Mishli,
“They [exchanges] should, ideally, adopt the strictest information security and data management practices, similar to those applied the leading regulated Fortune 500 organizations.”