Hackers are hunting celebs. Digital IDs can help, but add new risks
When it comes to cyberattacks, celebrities have a huge target on their backs.Â
Just consider the news at the end of 2023 where Rhysida, the infamous hacking group, announced it had attacked King Edward VIIâs Hospital, a private health institution in London. This is bad enough by itself, but what really elevated this news from âanother day, another attack,â was the fact the hackers claimed to have obtained sensitive medical data on the British Royal Family.
The King Edward VII Hospital has provided close care to the family for over a hundred years, having looked after the Queen Mother, Prince Philip, Queen Elizabeth II, and King Charles III, to name but a few.
This makes it â and other hospitals serving the rich and famous â a treasure trove for hackers. If bad actors get hold of this sort of sensitive data, it can be used for all sorts of nefarious purposes, whether thatâs extortion, blackmail, or any other range of motives, political or otherwise.
In this instance, the Royal Family got off lightly. Although itâs not clear precisely what happened, a few days after the announcement, Rhysida took down the note on their website about the Royal Family. The data wasnât leaked.
Now, we could spend some time unravelling this mystery, but, to me, the damage was already done. A glaring weakness was shown to the world. With this, a question: what do high-profile individuals like the Royal Family do about this threat?
Could famous people decouple themselves from public and private institutions? How would this work? And is it even possible?
I wanted to find out. So thatâs exactly what I did.
Getting deep with digital identities
âDigital identity, in its simplest form, is a set of facts about you,â says Andrew Bud, the founder and CEO of iProov, a London-based identity verification and authentication service.Â
It makes sense. Then, one would assume, the easiest way for the wealthy and powerful to protect themselves would be to decouple their digital identity from institutions. Thatâd work, right? Surely?
âIn the modern era of data breaches and ransomware farming, the idea that any information is a safe secret is fiction,â Bud says.
Ah. It appears weâre off to a rocky start. If no data is safe, how can anyone be? Should we all just pack our bags and give up?
Bud doesnât think so: âWhat matters most from a security perspective is securing your data so that it canât be monetised or exploited for unauthorised use.â
In other words, itâs all about authorisation. Securing who can access your data â something weâll return to later. That then means itâs possible for high-profile individuals to decouple their digital identities, it just needs to be done holistically.Â
But how would it work?
Making the great decoupling happen
âIt is in the realms of possibility for individuals to leverage additional technologies to decouple their digital identity from their healthcare or operational data,â Matt Berzinski, senior director of product management at Ping Identity, tells me.Â
The key to this, he believes, is âdecentralised identity.â
Berzinski explains the idea behind this technology. Imagine going to a club and showing a bouncer your physical ID. In this case, they can see where you live, how old you are, and a raft of other personal information thatâs not relevant. In theory, they could remember this data and use it against you.
A decentralised ID, on the other hand, would simply show the bouncer that youâre of the legal age and can enter. The person looking at your ID would only see the specific info they need to let you into the club. Nothing more, nothing less.
Effectively, this is how your data would be used in a decentralised environment. Itâs not there for anyone to see; it sits separate from, say, a hospitalâs system which will be only allowed to draw what it needs.
This is where the authorisation element that Bud from iProov discussed earlier comes into play. Only those authenticated to access this data will be able to use it.
But how do you ensure they are who they say they are? According to Bud, one way to achieve this is using biometrics.Â
âThings we know, like passwords [or phones], are easily shared, stolen or forgotten,â he says, going on to say that biometrics cannot be taken advantage of in the same way. Yes, they can be copied, but this requires âsignificant effort and expertiseâ â which would make it tough for almost any bad actor to get hold of.
What weâve learnt so far is that decoupling their digital identities could be a way for celebs to protect themselves from hackers, but is it actually possible today?
Freedom! (For identities)
The answer is kinda, but not really.Â
Hereâs the kicker: much of the technology thatâd enable the wealthy to decouple their identities from public institutions exists, but itâs simply not mature enough to make it happen.
As Berzinski from Ping Identity explains, while the promise of decentralised identity exists, itâs âin its infancy, standards are still being formulated, and the general populationâs understanding and willingness to adopt it is still growing.â
So, what should high-profile figures do now? If they canât decouple their identities from public platforms for protection, how do they defend themselves?
Terry Slattery â CEO of IDScan, a company that validates identities â believes itâs âimperative that individuals adopt effective data privacy practices.â
Effectively, celebs should suck it up and take increased responsibility. This involves everything from using password managers to being careful about what they share online.Â
âA digital ID could provide a gateway to their entire digital presence.
As an example, Slattery tells me a story about former Australian Prime Minister Tony Abbott accidentally posting his Qantas boarding pass on Instagram, leading to a hacker obtaining sensitive information on him âin just 45 minutes.â In other words, even something seemingly innocuous can be dangerous.
I wonât lie, this is leaving me deflated. I thought thereâd be a stylish and simple way to decouple digital identities, but, like life in general, itâs proving more complicated than I thought.
Yet, thereâs hope. If it wonât work today, it should in the future. Or so I thought.
Problems heaped upon problems
Keen to further burst my bubble, Simon Bain, CEO of OmniIndex, tells me flat out that âdigital identities are not the answer.â
Simply put, he believes that âif we cannot currently trust third parties with our data, we cannot trust them with our identities.â
To him, organisations themselves need to take more responsibility and âadopt modern technologies that protect our private and personal information,â with one such example being homomorphic encryption.
When I pushed him further about whether celebrities should push for their own, private security, Bain stated that we should all be demanding better protection â not just the wealthy or famous.
This is something Berzinski from Ping Identity also mentions: âThe risk of allowing high net worth individuals or high-profile figures to do something different is that they actually become an even bigger target, a whale so to speak, and there is more vulnerability involved.â
Now weâre getting somewhere. Maybe the best way for celebrities to protect their identities from attackers is for everyone to get better security, not just them.
Power to the people
âThe EU Digital Identity Wallet is one example of decentralised identity in development today,â Bud from iProov says.Â
This aims to deliver all 447.7 million EU citizens the ability to store and exchange identity documents and credentials, securely and conveniently, while ensuring they have full control over their data.
Of course, the proof is in the pudding. How successful this is depends on how well the project is run and what happens.
In an ideal world, this way of removing data from public and private institutions into a more decentralised space could work wonders â but it could also be managed appallingly.
Slattery from IDScan has this to say: âThe advent of decentralised digital identities could make it easier for perpetrators to commit identity fraud on a larger scale. Gaining access to someoneâs digital ID could potentially provide a gateway to their entire digital presence, from financial to social accounts.â
To rephrase that, as things get more convenient and technologically advanced thereâs a strong chance that hackers could turn this to their advantage. I guess thatâs the thing about evolving technology: other people have it too.
For every decision thatâs made, a series of unintended consequences will happen. If managed correctly, something like the EU Digital Identity Wallet could deliver benefits that make us all safer online, whether wealthy or not. But if managed badly? Well, it could open an even bigger can of worms than the one emptying out today.
The good, the bad, and the decentralised digital IDs
While itâs been enjoyable to follow this line of inquiry, itâs important to swing back around to the original question. So, could high-profile individuals decouple their profiles from public institutions?
The answer? Yes. They could. Although this has the rather large caveat that while the technology is technically available today, itâs not really in a place where it can be effectively used.
More pressingly though, celebrities going alone down this road would be a bad move. Itâd make them even more of a target and potentially draw more nefarious attention, defeating the entire purpose of the move.
The solution to identity-focused cyberattacks isnât getting the most at risk to change, rather it requires an entire industry to shift. Keeping our data held ad hoc across multiple different systems with varying security standards is not sustainable in the modern world.
Instead, the focus should be on, as Bud from iProov mentioned at the start of this piece, authorisation. Organisations should only be able to access specific information.
This is why the EU Digital Identity Wallet is so exciting. Here is something that could protect peopleâs data, ensure there are fewer leaks, and keep us all safe. If it works, of course.
The success of a project â and whether we want the government to be the sole holder of all our data â is a conversation for a different article. Fundamentally, things have to change â and, in the EU, it seems like that might just be happening.
For once, it appears that the best thing for celebrities is to just be like everyone else. Now thatâs a message I can get on board with.