Study examines erosion of PII as massive breaches persist

Share this article:
Hackers raid Washington state court system to steal 160,000 SSNs, 1M driver's license numbers
A new report examines the impact of repeated breaches on personally identifiable information.

A new report examines the impact of repeated breaches on personally identifiable information (PII) that is hard, or impossible, for victims to change.

On Tuesday, NSS Labs, an Austin, Texas-based security research and advisory firm, released an analyst brief entitled, “Why your data breach is my problem: The risks of relying on ‘private' information that cannot be kept private.”

The 15-page report highlights how massive data breaches in the past decade (which have grown in incidence and impact) erode the security of fixed, or “static,” personal data used to authenticate users.

Social Security numbers, dates of birth, and even physical addresses, along with other constant identifiers, are often stock piled by criminals after breaches, the report said, so that profiles are created using victims' leaked data.

NSS Labs charted the ten largest data breaches worldwide that occurred over the past decade, including the breach of Adobe customer information and Target payment card data announced in the last quarter of 2013. The firm noted that half of the breaches happened last year, alone.

“This data demonstrates that many records overlap between the breaches (with a total of 512 million records lost for the United States alone) and that the PII of a considerable share of the population of the United States (319 million) was exposed,” the report said.

To combat this threat, the report recommends that firms not store excessive data and that information is encrypted upon the inevitable compromise of information. In addition, NSS Labs said that more users should be allowed to terminate their accounts and have their personal data deleted (including information retained in backups by service providers).

The report also advised that “challenge questions,” used to authenticate account logins, be based on users' unique profiles or service history, rather than easily pieced together information about individuals.

Page 1 of 2
Share this article:

Sign up to our newsletters

More in News

Report: UK police push for required mobile phone PWs

The Metropolitan Police have reportedly lobbied for two years to enact the standard.

JPMorgan Chase customers targeted in massive phishing campaign

JPMorgan Chase customers targeted in massive phishing campaign

Roughly 500,000 emails have been sent out so far as part of a massive multifaceted phishing campaign targeting customers of JPMorgan Chase.

Study: Organizations lack training, budget to thwart insider threats

Study: Organizations lack training, budget to thwart insider ...

Of the 355 IT and security professionals surveyed, a majority indicated that they were ill-equipped to thwart a possible insider threat.