Modern data breach prevention: Why digital sovereignty requires path control

Amid intensifying geopolitical outbreaks, the global digital frontlines are under attack. From Border Gateway Protocol (or BGP) hijacking to data breaches, the digital sovereignty of countries and institutions stands threatened. Recent data breaches reveal the scale of risk: 

• More than 19 million records of personal/confidential data of French citizen have been stolen. Source: (TechRadar)  

• 350 GB of European Commission data was stolen through a compromised cloud infrastructure (Source: Security Week) 

• Over 16 B credentials were reportedly leaked from social media platforms such as Meta, Google, and Apple, aggregated from prior leaks and infostealers (source: Cyber News) 

• About 570 GB of compressed data was stolen by hacking into internal systems, including 28,000 repositories that hosted sensitive information, API keys, VPN settings, and credentials (Source: Guardz) 

Strengthening your routing security, sovereign cloud infrastructure, and internet connectivity is more important than ever, especially as we find ourselves in an era of unprecedented data attacks amplified by AI.  

A data breach is a security incident where unauthorized parties gain illegal access to sensitive or confidential information, with the intent to exploit it for a wider attack or sell it to a third party for profit. In fact, a data breach can cost about USD 4.44 million on average, according to the Cost of a Data Breach 2025  report by IBM.  

Data breaches can stem from: 

• targeted attacks such as routing-based exploits, phishing, and malware  

• insider attacks where employees leak important company information to third-parties 

• infrastructure vulnerabilities including cloud environments, third-party software, and operational technology 

From financial losses and reputational damage to legal penalties or fines from European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), data breaches can have severe far-reaching consequences for businesses and government organizations, threatening their very existence. 

One of the most prevalent, yet underestimated threats arise from routing failures. These breaches, intentionally or accidental, are significant security lapses that occur when internet traffic is misdirected, intercepted, or exposed to unauthorized networks. 

The Border Gateway Protocol (or BGP), an internet routing standard, was originally designed with the idea that interconnected networks could be trusted to announce ownership of the IP addresses they control. However, this trust-based protocol leaves behind systemic vulnerabilities that cyber criminals can exploit, like BGP hijacks or accidental misconfigurations like route leaks.  

BGP hijacking is a cyberattack where attackers falsely announce ownership of specific IP addresses to misdirect internet traffic, leading to data theft, service outages, or traffic interception. A BGP hijack takes place when attackers gain illegal control or compromise a BGP-based router that connects autonomous systems (i.e. a unified, collective network infrastructure under one organization). 

A route leak is an unexpected glitch that happens when a network accidentally broadcasts its route, causing internet traffic to follow an unplanned path, resulting in suboptimal routing, spoofing, interception, or traffic blackholes.   

While a BGP hijack is usually intentional, a BGP route leak is typically accidental in nature. 

According to the World Economic Forum, digital sovereignty refers to the ability to have legal control over your own digital destiny – the data, hardware, and software that you rely on and create. Digital sovereignty ensures better compliance, improves stakeholder trust, fosters innovation, and protects critical infrastructure. 

Digital sovereignty goes beyond mere data residency (the physical location of data). It’s about controlling the route to guarantee compliance with the set regulatory and legal norms. Especially during current times when there is a rise in geopolitical tensions, there is a need for nations to assert their digital sovereignty over information and connectivity.  

Resource Public Key Infrastructure (or RPKI) is a security framework that cryptographically validates which network operators are authorized to use specific IP address blocks. In other words, using RPKI, network operators can make informed and safe routing decisions by cryptographically verifying the Route Origin Authorization (ROA) certificate held by legitimate holders of network resources.

RPKI was introduced as a data breach prevention mechanism to mitigate BGP hijacks and route leaks and has seen increasing adoption with a positive track record. However, it faces a critical limitation: almost 50% of routed IP address blocks are not covered under the purview of RPKI certificates. Other challenges with RPKI include: 

• Unsatisfactory repository management: RPKI depends on a distributed group of robust repositories for storing and serving the ROA payload. But most of these repositories offer subpar service in terms of distributed content and performance, leading to bad DNS hygiene, inaccessibility, and timeouts. (Source: RIPE Labs)  

• Software issues: RPKI validators worldwide are affected by Denial-of-Service (DoS) attacks, silent ROV downgrades, path traversal flaws, and RPKI cache poisonings (where malicious, copied or stale ROAs are injected into the validated cache). (Source: RIPE Labs) 

• Forged-origin attacks: Since RPKI validates only the origin of a route announcement, and not the entire path, an attacker can pretend to own the victim’s legitimate autonomous system to bypass the RPKI origin validation. One such attack was the KLAYswap BGP hijack where the attackers stole roughly $2 million worth of cryptocurrency from the platform users by impersonating a legitimate network infrastructure to intercept traffic to their own malicious system. Had there been valid RPKI Route Origin Authorization (ROA) as per legitimate origin Autonomous System Number (or ASN), this attack could have either been prevented or its impact minimized. 

• High implementation costs: Implementing RPKI validation requires huge costs associated with updating router configurations and hardware upgrades. Therefore, for many ISPs and countries, this could either become a question of budget or priorities. 
   

Fixing BGP is nearly impossible as it would require coordinating among a vast web of independently operating networks across every country. Moreover, many of these networks are in competition with each other, and some of them are in countries facing geopolitical conflicts, complicating standardization and collective upgrades.   

In such a scenario, it’s imperative to adopt a secure, path-controlled networking protocol that not only counters data breaches but also enables digital sovereignty along with establishing network resilience. 

That’s where Scalability, Control, and Isolation On Next generation networks (or SCION) comes in. Purpose-built to solve systemic weaknesses in today’s BGP-based internet, SCION is a next-generation internet technology that gives organizations control over where their data travels, what path it follows, and which network providers it wants to involve.  

Along with Anapaya, SCION is being deployed as a network protocol to secure connectivity for government institutions, mission-critical businesses, cloud platforms, and network providers. 

• Provides strong cybersecurity and mitigates fraud risks by eliminating internet attacks linked to public internet such as BGP hijacking, route leaks, and prefix spoofing.  

• Enables path predictability and strong authentication by defining the entire network path along with instant failover to pre-validated alternate paths and immediate recovery from outages.  

• Establishes data sovereignty by offering substantial control over where data travels, irrespective of opaque global routing policies. 

• Creates a high-security internal fabric that’s already, parallelly operating now in national infrastructures, central banks, academic networks, and regulated industries.  

• Secures digital communication ensuring authorized connectivity among entities, including partners, infrastructure providers, and cloud platforms.  

Switzerland has become the first country to adopt SCION nationwide, with major ISPs leading its deployment across finance, healthcare, and more. One flagship example of SCION’s integration is the Swiss Secure Financial Network (SSFN), which connects banks and critical financial institutions with their key service providers.  

• Closed membership: Only approved institutions can join, ensuring a trusted environment.  

• Multiple providers: Several telecom partners work together to ensure a smoothly running network with automatic failover paths. 

With SCION, SSFN is embracing a more trustworthy digital future.  

SCION has been specifically engineered for organizations operating in mission-critical domains to reduce their dependency on BGP-backed traditional internet. These include: 

• ISPs and cloud providers, for stable, high trust inter-domain connectivity, 

• Healthcare, for protecting sensitive patient data,  

• Government bodies, for securing public service communications and asserting data control, 

• Financial services, for safeguarding inter-bank communication, cross-border
  transactions, and real-time payments, 

• Public infrastructure and energy supply, for protection against cyberattacks and operational disruptions.  

As cyber threats increasingly evolve alongside geopolitical rivalries, countries and organizations can no longer rely on trust-based traditional internal protocols such as BGP. Modern-day data breach prevention requires a secure, sovereign, and resilient internet infrastructure to reclaim control over where and how data travels.  

Technologies like SCION can help your institution achieve true digital sovereignty by fostering trusted digital communications and preserving autonomy in the years ahead. 

Safeguard your critical operations, adopt SCION today.