A new report examines the impact of repeated breaches on personally identifiable information (PII) that is hard, or impossible, for victims to change.
On Tuesday, NSS Labs, an Austin, Texas-based security research and advisory firm, released an analyst brief entitled, “Why your data breach is my problem: The risks of relying on ‘private' information that cannot be kept private.”
The 15-page report highlights how massive data breaches in the past decade (which have grown in incidence and impact) erode the security of fixed, or “static,” personal data used to authenticate users.
Social Security numbers, dates of birth, and even physical addresses, along with other constant identifiers, are often stock piled by criminals after breaches, the report said, so that profiles are created using victims' leaked data.
NSS Labs charted the ten largest data breaches worldwide that occurred over the past decade, including the breach of Adobe customer information and Target payment card data announced in the last quarter of 2013. The firm noted that half of the breaches happened last year, alone.
“This data demonstrates that many records overlap between the breaches (with a total of 512 million records lost for the United States alone) and that the PII of a considerable share of the population of the United States (319 million) was exposed,” the report said.
To combat this threat, the report recommends that firms not store excessive data and that information is encrypted upon the inevitable compromise of information. In addition, NSS Labs said that more users should be allowed to terminate their accounts and have their personal data deleted (including information retained in backups by service providers).
The report also advised that “challenge questions,” used to authenticate account logins, be based on users' unique profiles or service history, rather than easily pieced together information about individuals.
Lastly, the report recommended collaboration between the government and private sector, specifically to introduce clearing houses for analyzing breached data, should service providers need to be alerted of heightened risks to customers.
In Wednesday email correspondence with SCMagazine.com, Stefan Frei, research vice president at NSS Labs and co-author of the data breach report, emphasized the point that “data once leaked cannot be taken back."
“What we have seen so far is just the beginning,” Frei wrote of breaches. “More data will be leaked, which refines cyber criminals' databases, [and] increases identity theft. Redesigning the use of static properties is a society-level challenge that must be addressed.”