Bank breach! How come nobody cares?
Privacy regs are effecting the market slowly at first, and anything that does that is usually getting ready to matter all at once. We look at the creeping change and at ways to get ready for the shift.
The market just can’t quit dreaming on Pilbara gold. Pacton packs up more land, leads the volume board.
Here’s What Happened May 28th
Australian gold explorer and “great gold hope” Pacton Gold (PAC.V) finished up $0.14 at $0.91 (+18%) on news of another deal for Pilbara ground. The LOI has them acquiring a large and prospective area for $25,000 and 2.5 million shares, which is hard not to like. The EG slack channel also informs us that PAC has become an Equity Guru marketing client, so they also have excellent taste in distribution. Client or not, companies don’t make it into here’s what happened unless they’re up to something newsworthy. PAC led the Venture in dollar weighted volume today, doing 11 million shares.
is something that is frequently announced in the headings of popup windows and subject lines of emails, and just as frequently ignored. The recent rash of these alerts making users wonder if maybe we should be paying more attention to this kind of stuff is largely thanks to European Union’s General Data Protection Regulation (GDPR) coming into effect. The regs apply to any business that does business in the EU (parallel legislation exists in the UK), and if you want to read them there is a Wikipedia summary here. In theory, they prevent companies from storing user data without first anonymizing it, and from selling users’ data without specific opt-in consent. More relevantly, businesses are now required to report data breaches within 72 hours.
This morning BMO and CIBC alerted the Canadian public of data breaches that exposed customers’ private data to self described blackmailers. BMO described the exposed accounts as “a limited number,” whereas CIBC, owner of Simplii (formerly PC Financial) put the number of accounts exposed north of 40,000. From coverage at the Globe, HuffPo and the CBC, it appears that these breaches were discovered through active contact with the bank by the attackers, ostensibly looking to pay it off from the source. The banks re-iterated the industry-standard zero-fraud guarantee; if some hacker takes all your money and their investigators find that you had nothing to do with it, the bank eats the loss.
Timing is everything
The fact that these twin announcements, the first of their kind from Canadian banks that we can remember, came right after the GDPR makes us wonder if breaches are occurring in the financial industry all the time, and it’s just better business to either play dumb or find a good reason to keep quiet.
Announcing these breaches with US trading desks closed for the US Memorial day holiday, as the TSX predictably did less than half of its regular volume, doesn’t seem accidental. One way or another, the markets barely flinched at these disclosures. BMO (BMO.T) was up $0.13 (+0.1%) to close at $101.60 on 449k shares 1/8 its normal volume, and CIBC (CM.T) lost $0.14 (-0.1%) to close at $114.73 on 382k shares, about 1/5 its normal volume.
Nobody cared. This market is saying: “40,000 accounts, the capital in which the banks have made a strategic decision to guarantee… because the best idea the attackers who stole the data have had is to try and blackmail the bank over it? Whatever.”
But nobody has ever accused the market of having a broad, measured perspective.
While the money in the accounts is clearly the low hanging fruit of this hack, the user data is the real prize. As is typical of government help, the data regulations are a few years behind the world’s general understanding of the topic at hand. Nobody is applying the general chaos that can be caused by ill gotten identity data to this situation, and it’s certainly unclear whether or responsibility for any fallout can be levelled on CIBC or BMO. But awareness is creeping into the popular consciousness slowly, and one day it will seem like it showed up all at once.
AI is a double edged sword
As artificial intelligence and machine learning start to inch their way out of the dreams of small cap stocks trying to sound hip and into actual, practical, useful applications, both the researchers on the leading edge of digital security and the criminally minded are coming to sudden, startling realizations.
Tim Bouma works in digital identity, and has an uncanny ability to distil the rather complicated topic into digestible pieces that don’t make peoples’ eyes glaze over. He published an important revelation in the wake of the Google Duplex demo that rocked the tech world earlier this month, and it’s so perfect that we’re not even going to spoil it. It’ll be better if we just get out of the way and give Bouma room to move:
….OK wait we just have to tell you this one thing:
The core of paying off an identity hack is gaining the trust of a third party. An attacker who has obtained ill-gotten banking information has to be able to use that information to convince someone else that he or she is actually the attackee. Ok. That’s all. Here’s Tim:
When I saw the demo of Google Duplex (demo here) [ED: embedded above], my first thought was “Cool!” My next thought was, “Imagine a denial-of-service attack on hair salon schedules.” My final thought was, “Soon, I will never fully believe it’s a human being on the other end of a digital interaction.”
It really boils down to a few processes that, today, need to be carried out in the real world – tying your analogue-self to your digital self. These are:
- Making sure you are real in the first place.
- Gaining your consent
- Giving you something that can’t be mimicked, spoofed or hijacked.
Sure, these processes can be carried out digitally, but as Google Duplex is demonstrating, its only a matter of time that these can be attacked, making everyone believe it’s a human on the other end. And that “human” trying to be the “digital you” may be able to do a better job of proving that “you are you” better than you can.
No word yet on if there’s AI code on github that can be tweaked to make a bot smart enough to fool the minimum wage employee tasked with doing a security verification for a bank but, if there were, it would come down to the bot knowing what’s in the account owner’s banking file.
“Bad news travels slowly…”
There is a general malaise out there about data ownership, and it’s making its way into equity markets. Reliq Health Technologies has had a rough couple of weeks, and it’s tough to put a finger on exactly why. Reliq is in the business of internet connected healthcare devices that monitor patients. The idea here is that patients can get out of the hospital and into the home quicker if there is internet-connected hardware monitoring their health. They make a good case for a quick, high-dollar rollout. Much of this care is payed for by insurance or medicare and medicaid, and the hospitals are all too happy to free up the beds as quickly as possible.
At a $152M market cap and a 31 price to book, RHT’s valuation is clearly ahead of itself. But that alone doesn’t make a company fall apart all at once. They have earnings coming up at the end of the month, but RHT isn’t an earner. They did $878,000 last quarter for a good top line margin, but ran at a loss. This company is in the growth phase, so it isn’t a matter of them missing or beating a financial number, though the street may well want to see growth in patients.
Today, the company made a show of cutting a deal for some hardware whose absence was slowing down patient onboarding. It was the kind of release that a company makes to show the market that it’s on top of a problem that is being whispered about, is maintaining operational control, etc. The market HATED it, sending RHT on a -12.3% tumble to $1.36 (down $0.19) on nearly twice their average volume. It was the 7th straight down day for RHT.
We aren’t plugged into anyone trading this thing, but it’s pretty easy to poke holes in their value proposition in the context of the emerging data sales environment. From the RHT website:
Reliq’s iUGO Care cloud supports the anonymization, storage and analysis of patient data collected by the iUGO Care system. Chronic disease patients being cared for in the home or in long term care facilities are often on complex medication regimens and have multiple co-morbidities. Treatment and outcome data for this patient population involves a massive number of variables relative to the more commonly available data from tightly controlled clinical trials and research studies, but with a sufficient number of data sets it can be analyzed and used to guide evidence-based care for these complex patients.
The global market for Big Data in Healthcare is expected to reach $17 Billion USD by 2022. Governments and private insurers are increasingly moving from fee-for-service reimbursement models to value-based care. The availability of representative data for the patient population being cared for determines the likelihood of success of a given healthcare organization in achieving maximum revenues for services provided under the value-based care reimbursement model. Reliq Health’s database of complex chronic care patient data helps care providers proactively identify at-risk patients and deliver effective treatment based on relevant data.
Data resale is a hell of a business, and the aggressive roll out of in-home monitoring would be a great way to collect it… but what happens when those patients, suddenly required to opt-in before their data is re-sold, get wise to the idea that the data is worth something? What’s in it for them, anyway?
Rival IoT devices company Patient Home Monitoring (PHM.V), recently re-branded as Pro-tech Home Medical, trades for a $51M market cap. Pro-tec is a bit more of a legacy company. They deal in a slightly different suite of devices, but it’s a similar business. While PHM’s legacy does come with some hair on it in the form of outstanding debt, it’s not an un-serviceable sum. PHM consistently sees quarterly revenue in the $10s of millions.
Both companies are structured to earn off of in-home monitoring. The major difference is that in no place does PHM’s investor literature mention data sales as a value prop.
Is the big data trade off, then?
We’re not sure it was ever consistently on for the smallcaps. There have been some successes but never a sector rush like you see in gold or like the marijuana bull that just can’t be stopped. Clearly, these new rules aren’t something the market is going to like in the near term, but data isn’t becoming less valuable, just more difficult to harvest and monetize.
The next real value play to emerge is going to be in whatever company can come up with a workable trust framework that makes for better interoperabillity and puts users in a position to comfortably give data dealers the “yes,” they need. And possibly get cut in while they’re at it.
Equity Guru marketing client Vitalhub (VHI.V) is in the business of healthcare interopperability, and if the very young company is able to do what they’re setting out to do, it could be a key component in a successful implementation of what Reliq is up to. Lukas Kane wrote about Vitalhub recently.
The company that solves these problems eventually will likely have a blockchain component, and now that the blockchain space is quieting down a bit, we’re getting a better idea of who’s actually an operator and who’s just a promoter. We’ll have a few pubco ideas for our readers soon, but for now: various private companies are dealing in frameworks that show promise provided they can get adoption. We think it will pay to understand what the people over at Blockstack are all about as they develop a very ambitious blockchain-enabled data locker. It’s the right idea and looks interesting.
The heads out there who put up with us for this long and want to learn more about the trust frameworks that will eventually make passwords obsolete may want to read up on the Pan Canadian Trust Framework project. Both BMO and CIBC have signed on as sponsors of the project.
Blockstack founder Muneeb Ali has his own Ted Talk, but it hasn’t gone to his head. Yet.Disclaimer: ALWAYS DO YOUR OWN RESEARCH and consult with a licensed investment professional before making an investment. This communication should not be used as a basis for making any investment.