Study examines erosion of PII as massive breaches persist

Share this article:
Hackers raid Washington state court system to steal 160,000 SSNs, 1M driver's license numbers
A new report examines the impact of repeated breaches on personally identifiable information.

A new report examines the impact of repeated breaches on personally identifiable information (PII) that is hard, or impossible, for victims to change.

On Tuesday, NSS Labs, an Austin, Texas-based security research and advisory firm, released an analyst brief entitled, “Why your data breach is my problem: The risks of relying on ‘private' information that cannot be kept private.”

The 15-page report highlights how massive data breaches in the past decade (which have grown in incidence and impact) erode the security of fixed, or “static,” personal data used to authenticate users.

Social Security numbers, dates of birth, and even physical addresses, along with other constant identifiers, are often stock piled by criminals after breaches, the report said, so that profiles are created using victims' leaked data.

NSS Labs charted the ten largest data breaches worldwide that occurred over the past decade, including the breach of Adobe customer information and Target payment card data announced in the last quarter of 2013. The firm noted that half of the breaches happened last year, alone.

“This data demonstrates that many records overlap between the breaches (with a total of 512 million records lost for the United States alone) and that the PII of a considerable share of the population of the United States (319 million) was exposed,” the report said.

To combat this threat, the report recommends that firms not store excessive data and that information is encrypted upon the inevitable compromise of information. In addition, NSS Labs said that more users should be allowed to terminate their accounts and have their personal data deleted (including information retained in backups by service providers).

The report also advised that “challenge questions,” used to authenticate account logins, be based on users' unique profiles or service history, rather than easily pieced together information about individuals.

Page 1 of 2
Share this article:

Sign up to our newsletters

More in News

Report: Hackers stole data from Israeli defense firms

A report by Brian Krebs detailed the intrusions, which occurred between Oct. 2011 and Aug. 2012.

Neverquest trojan targets regional banks in Japan

Symantec researchers found a new variant of the banking trojan.

IG scolds NOAA on security deficiencies, recommends fixes

IG scolds NOAA on security deficiencies, recommends fixes

An audit of NOAA by the inspector general found security shortcomings, including the link between information systems and satellite systems.