Study examines erosion of PII as massive breaches persist

Share this article:
Hackers raid Washington state court system to steal 160,000 SSNs, 1M driver's license numbers
A new report examines the impact of repeated breaches on personally identifiable information.

A new report examines the impact of repeated breaches on personally identifiable information (PII) that is hard, or impossible, for victims to change.

On Tuesday, NSS Labs, an Austin, Texas-based security research and advisory firm, released an analyst brief entitled, “Why your data breach is my problem: The risks of relying on ‘private' information that cannot be kept private.”

The 15-page report highlights how massive data breaches in the past decade (which have grown in incidence and impact) erode the security of fixed, or “static,” personal data used to authenticate users.

Social Security numbers, dates of birth, and even physical addresses, along with other constant identifiers, are often stock piled by criminals after breaches, the report said, so that profiles are created using victims' leaked data.

NSS Labs charted the ten largest data breaches worldwide that occurred over the past decade, including the breach of Adobe customer information and Target payment card data announced in the last quarter of 2013. The firm noted that half of the breaches happened last year, alone.

“This data demonstrates that many records overlap between the breaches (with a total of 512 million records lost for the United States alone) and that the PII of a considerable share of the population of the United States (319 million) was exposed,” the report said.

To combat this threat, the report recommends that firms not store excessive data and that information is encrypted upon the inevitable compromise of information. In addition, NSS Labs said that more users should be allowed to terminate their accounts and have their personal data deleted (including information retained in backups by service providers).

The report also advised that “challenge questions,” used to authenticate account logins, be based on users' unique profiles or service history, rather than easily pieced together information about individuals.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

LEADS Act addresses gov't procedure for requesting data stored abroad

LEADS Act addresses gov't procedure for requesting data ...

Senators introduced the legislation last week as a means of amending the Electronic Communications Privacy Act (ECPA).

Report: Intrustion prevention systems made a comeback in 2013

Report: Intrustion prevention systems made a comeback in ...

A new report indicates that intrusion prevention systems grew 4.2 percent in 2013, with growth predicted to continue.

Mobile device security sacrificed for productivity, study says

Mobile device security sacrificed for productivity, study says

A Ponemon Institute study, sponsored by Raytheon, revealed that employees increasingly use mobile devices for work but cut corners and circumvent security.