Hash Rate - Ep 112 - The Coinbase Data Breach

This episode dissects the Coinbase breach, revealing how compromised customer data highlights critical vulnerabilities in crypto platforms and the urgent need for advanced data protection strategies like encryption-in-use for investors and researchers.

The Coinbase Breach: Anatomy of an Insider Threat

• Coinbase recently disclosed a significant security incident where malicious actors obtained approximately 70,000 customer records, including sensitive home addresses and wallet balances.
• The attackers demanded a $20 million ransom to prevent the misuse of this data.
• Jackie Peters, founder and CEO of Blind Insight, explains the breach originated from an internal employee at an offshore customer service center who was bribed to sell the data.
• Mark Jeffrey, the host, notes, "As usual, it's not about hacking the computers. It's about hacking the humans that control the computers." This underscores the persistent human element in cybersecurity failures.
• This incident echoes the 2023 Okta breach, where a phishing scheme targeting a customer service employee led to a $2 billion market cap loss for Okta in a single day, highlighting the severe financial repercussions of such vulnerabilities.

Escalating Physical Risks for Crypto Holders

• The exposure of home addresses alongside wallet balances places affected Coinbase customers at serious physical risk.
• Jackie Peters points out an alarming "uptick in physical assaults on owners of crypto," as criminals can directly target individuals for their assets.
• The immutable nature of crypto transactions makes recovery nearly impossible unless perpetrators are caught. Cryptocurrency transactions, once confirmed on the blockchain, are generally irreversible, posing unique challenges for recovering stolen funds.
• High-profile cases, such as the kidnapping and assault of the Ledger CEO, illustrate the severe dangers. Peters emphasizes the emotional toll, stating, "it's not just their physical well-being, but it's also their emotional well-being that now I have to be, you know, on guard."

Financial Fallout and Disclosure Dynamics

• The breach has led to substantial financial consequences for Coinbase, with estimated reimbursement costs ranging from $180 million to $400 million, potentially covering damages, SEC fines, and pending lawsuits.
• Details on how actual funds were stolen remain unclear from the discussion.
• The breach reportedly occurred around November/December of the previous year, with Coinbase learning about it a couple of months ago (possibly March) and announcing it recently.
• Jackie Peters suggests the delay was likely due to internal investigations and legal consultations, as companies "have to" notify affected individuals when sensitive data is compromised to avoid severe regulatory impacts.
• This disclosure comes at an inopportune time, as Coinbase is poised for inclusion in the S&P 500, casting a shadow on its reputation.

Preventative Strategies: Beyond In-Housing Operations

• While some suggest bringing outsourced operations in-house, Jackie Peters argues this isn't a foolproof solution, as "there's bad actors in-house also."
• The core issue, according to Peters, lies in robust data access controls and sophisticated data management. The traditional paradigm required data to be in plain text for utilization, creating vulnerabilities.
• Modern solutions involve encryption-in-use technologies, which allow data to be processed while remaining encrypted.
  • Homomorphic Encryption (HE): A privacy-preserving cryptographic technique that allows computations to be performed directly on encrypted data without decrypting it first.
  • Zero-Knowledge Proofs (zkProofs): Cryptographic methods by which one party (the prover) can prove to another party (the verifier) that they know a value x, without conveying any information apart from the fact that they know the value x.
• Peters advocates for combining these technologies with fine-grained access controls. For instance, in a call center, "you can filter down your call list on encrypted data. When the call comes through, the call center employee can pick up the phone. They can be handed keys to decrypt the fields they need to do their job."
• This approach ensures that "99.9% of the data stays protected 99.9% of the time and at no point is enough data ever exposed for anybody to really use for anything nefarious."

Assessing Coinbase's Current Security Posture

• Jackie Peters speculates it's "probably unlikely" that the offshore customer service center involved in the Coinbase breach had implemented advanced encryption-in-use technologies, given their novelty and the rarity of enterprise-grade deployments.
• The breach itself suggests that Coinbase's existing measures were insufficient to prevent this type of insider attack, highlighting a potential gap in their security stack concerning data handling by third-party or even internal support staff.

A Deeper Dive into Proposed Data Protection

• The proposed solution emphasizes a "stingy" approach to data access: representatives receive only the minimal "crumbs" of data necessary for their immediate task.
• Crucially, this protection extends beyond the application layer to the database itself, aiming to prevent even software engineers or those with system-level access from accessing sensitive data in bulk.
• This comprehensive protection is vital for mitigating risks from various internal access points.

Understanding Homomorphic Encryption's Potential and Limitations

• Jackie Peters explains that Homomorphic Encryption (HE) "allows you to perform analysis on data while it remains encrypted." While powerful and Turing complete (capable of any computation, fundamentally through addition and multiplication), HE is currently "very, very computationally expensive."
• Peters, referencing her co-founder, estimates HE is "probably 5 to 10 years off before it's really practical" for real-time applications like call centers, where it might take days to build a call list.
• Mark Jeffrey mentions Nillion as another entity working on operations on encrypted data, and notes that the mathematical possibility of such operations has been known since the 1980s.

Blind Insight: A Novel Approach to Encrypted Data Processing

• Frustrated by the limitations of HE for real-time analysis during her time at Orchid (a decentralized VPN project where she was the founding product person), Jackie Peters developed the idea for Blind Insight.
• Blind Insight pivoted from an initial graph-based approach to an index-based approach using techniques like searchable encryption. Searchable Encryption allows a party to search over encrypted data using keywords, without the server learning the keywords or the data content.
• This method is not fully Turing complete like HE but allows for incremental building of operations: starting with exact string matching, then number range operations, and now simple aggregation functions (sum, average, count).
• The core innovation is its efficiency: "it adds negligible overhead over plain text. I mean it's like millions of times faster than homomorphic encryption," Peters states, with current speeds around 15 seconds per million records. This efficiency is achieved by trading a small amount of cheap storage (for the index) for significantly reduced expensive compute.

Blind Insight's Technical Architecture: The Proxy Model

• Blind Insight employs a proxy architecture that can run in various environments (on-premise, private cloud, mobile library). This proxy handles encryption and decryption using user keys.
• The process involves:
  • The data owner's sensitive plain text data remains with them, along with their keys.
  • The proxy uses data keys for non-deterministic encryption (encrypting the same word, e.g., "cat," results in a different ciphertext each time) of the dataset.
  • Query keys are used for a deterministic hash (encrypting "cat" always yields the same hash).
  • An index maps these hashed query values to the non-deterministically encrypted data records.
• When a data requestor (with query keys) submits a query, the system uses the index to retrieve the relevant encrypted records, which the requestor cannot decrypt. This allows analysis without exposing plain text.
• This architecture effectively prevents scenarios like the Coinbase breach by ensuring employees (data requestors) only access specific, necessary encrypted data segments via API calls that grant and revoke keys for limited fields.

Implementing Blind Insight: Integration and Practicalities

• Blind Insight is designed for ease of integration using APIs and JSON, aiming to avoid vendor lock-in.
• For a company like Coinbase, integration would involve plugins or client libraries depending on their existing data stores (e.g., a HubSpot plugin or a BigQuery client library).
• A key item on Blind Insight's roadmap is a connector, possibly using cube.js, to support a wide variety of data sources.

Blind Insight: Product Maturity and Market Traction

• Blind Insight currently has around 80 beta users, with a couple of paying customers and several Letters of Intent (LOIs) and design partnerships, including one with UCLA Health.
• The platform has found favor with CISOs (Chief Information Security Officers).
• While still in beta, the upcoming V1 release will feature KMS (Key Management System) integration, enabling multi-user scenarios with a single proxy, making it ready for production use cases. KMS is a system for managing cryptographic keys, including their generation, storage, distribution, and destruction.
• There's significant demand from large enterprises, and also from growth-stage companies needing to demonstrate robust data security (encryption at rest/transit, access controls, observability) to their enterprise clients.

Web3 Applications and the Genesis of Blind Insight

• Jackie Peters' interest in privacy-preserving technologies began at Orchid, a decentralized VPN that used probabilistic micropayments to enhance privacy.
• Blind Insight's proxy architecture is well-suited for Web3 use cases like Self-Sovereign Identity (SSI). SSI is a model for managing digital identities in which individuals have sole ownership and control over their credentials and data, without relying on centralized authorities.
• Blind Insight can act as middleware to solve the "discoverability problem" in SSI. For example, a clinical researcher could find study participants with specific conditions without individuals revealing their data until a match is made locally on their device.
• Peters notes, "we solve this discoverability problem that's inherent to the whole self-sovereign identity play."

The Evolving Landscape of Self-Sovereign Identity and Data Ownership

• Mark Jeffrey contrasts traditional government-issued IDs with the Web3 vision of user-controlled identity.
• Jackie Peters expands SSI to mean broader data ownership: "why should big companies own my data and profit off of my data when I'm the one generating it?"
• Enterprises are increasingly interested in SSI due to international data sovereignty regulations like India's DPDP (Digital Personal Data Protection Act).
• However, challenges remain in SSI, including discoverability (which Blind Insight addresses) and the user experience (UX) of managing permissions.

Data Monetization, AI, and the Future of Compensation

• The discussion touches on users' desire to control and potentially monetize their data, even if it means allowing access to platforms like Facebook, but on their own terms. "MJ needs to wet his beak," Mark quips.
• A significant emerging issue is the use of publicly available data to train AI models without compensating the original creators.
• Peters believes individuals should be compensated: "the answer is yes. That somehow we should be compensated for you know the parts of our data that they're using."
• Several Web3 projects are exploring solutions for fair data compensation and decentralized data marketplaces.

Blind Insight's Path Forward and Collaboration

• While a mobile library for Blind Insight isn't available yet, it's a possibility for future development.
• The company is exploring partnerships with systems integrators, starting with smaller firms interested in early access to their technology.
• This strategic approach aims to build adoption and refine the product based on real-world integration challenges.

Connect with Blind Insight

• Interested parties can visit blindinsight.com for more information, a free 30-day trial (no credit card required), and open documentation.
• Blind Insight is also active on LinkedIn, Twitter (X), Blue Sky, and Instagram. A contact form is available on their website for direct inquiries.

The Coinbase breach underscores the critical need for advanced encryption and access controls in crypto; investors and researchers must prioritize solutions that protect data even while in use to mitigate insider threats and bolster trust.