Study examines erosion of PII as massive breaches persist

Share this article:
Hackers raid Washington state court system to steal 160,000 SSNs, 1M driver's license numbers
A new report examines the impact of repeated breaches on personally identifiable information.

A new report examines the impact of repeated breaches on personally identifiable information (PII) that is hard, or impossible, for victims to change.

On Tuesday, NSS Labs, an Austin, Texas-based security research and advisory firm, released an analyst brief entitled, “Why your data breach is my problem: The risks of relying on ‘private' information that cannot be kept private.”

The 15-page report highlights how massive data breaches in the past decade (which have grown in incidence and impact) erode the security of fixed, or “static,” personal data used to authenticate users.

Social Security numbers, dates of birth, and even physical addresses, along with other constant identifiers, are often stock piled by criminals after breaches, the report said, so that profiles are created using victims' leaked data.

NSS Labs charted the ten largest data breaches worldwide that occurred over the past decade, including the breach of Adobe customer information and Target payment card data announced in the last quarter of 2013. The firm noted that half of the breaches happened last year, alone.

“This data demonstrates that many records overlap between the breaches (with a total of 512 million records lost for the United States alone) and that the PII of a considerable share of the population of the United States (319 million) was exposed,” the report said.

To combat this threat, the report recommends that firms not store excessive data and that information is encrypted upon the inevitable compromise of information. In addition, NSS Labs said that more users should be allowed to terminate their accounts and have their personal data deleted (including information retained in backups by service providers).

The report also advised that “challenge questions,” used to authenticate account logins, be based on users' unique profiles or service history, rather than easily pieced together information about individuals.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Skills in demand: Communications and messaging experts

Skills in demand: Communications and messaging experts

The demand for infosec-focused communications and messaging pros is growing.

Company news: New execs at Malwarebytes and an acquisition by VMware

The latest mergers and acquisitions and personnel moves, including Malwarebytes, Abacus Group, VMware, Bay Dynamics, vArmour, Secunia, Norse and more.

Bridging the talent gap in health care

Bridging the talent gap in health care

Cybercriminals are primarily after patient data as it really gets them more money.