Less than a week into 2023 and Twitter has already reported a data breach affecting 200 million users. With data breaches rising by 70% in the third quarter of 2022 and notable organisations such as Uber, Medibank, DoorDash, and even the Costa Rican government reporting data breaches, data privacy is becoming an ever-growing concern for consumers. This has forced the introduction of laws such as GDPR in 2018 for the EU, APPI in 2020 for Japan, and PIPEDA in 2000 for Canada.
According to Clock Tower Insight, two-thirds of consumers believed that a company’s privacy practices relate to the business’s trustworthiness. This has also led to the creation of a new faction of consumers, known as, “privacy actives”. In a 2019 survey conducted by Cisco, almost a third of respondents said they care so much about privacy that they are willing and have switched companies and businesses due to their data usage or sharing policies. So, with the scene set, how does PII enter the picture and why should you care?
PII stands for Personally Identifiable Information and has multiple definitions, but the most basic is any piece of information or data that can be used to identify an individual. PII can be separated into two different categories, sensitive and non-sensitive. Sensitive PII could be passport numbers or banking details, data that is unique to an individual. Non-sensitive PII is information that can be found in public records such as their date of birth or postal code.
However, in the eyes of the law, the definition can change and what is and isn’t important to protect becomes murkier. In the United States, PII is defined as something that is personally identifiable, such as a name, social security number, or biometric records. This changes when looking at the Australian privacy laws, the definition is much broader, as it defines PII as information or an opinion about an individual where the identity is either apparent or can be reasonably ascertained. But, when you look at Canadian privacy laws, they define PII as a piece of data that on its own or combined with other pieces of information, can identify an individual.
Most basic signup pages for a company will at least ask for an email address, if not more such as first names, surnames, and dates of birth. Under the various privacy laws we have discussed, all or none of them can constitute PII. Given these circumstances, it’s best to treat all incoming data from consumers as PII and sensitive.
To contextualise the value of PII to malicious attackers, let’s look at some statistics. It’s the most commonly stolen data asset according to IBM, with PII being included in 44% of attacks. That’s because it can make attackers lots of money to sell PII on the dark web. The average cost per customer record in 2021 was $180. But that is for one record. Also according to IBM, the average number of records stolen in a data breach is 25,575. Extrapolating this data, an average attack can earn $4.6 million for an attacker by selling records alone. That’s a coffee a day for the next 4,500 years. Or having all of your meals out for the next 210 years. Or 23 Lamborghinis. Basically, it’s a lot of money.
So, we’ve looked at what constitutes PII, its value, and the importance of data privacy for consumers. Now let’s dive deeper into how PII can be overexposed and what ramifications can come about from it. Unlike other security breaches with direct attacks on network systems, obtaining PII due to overexposure is much more passive; by just listening to network traffic, a bad actor can obtain mountains of data. This can happen due to PII being sent over unencrypted networks; sending PII over email; having media storage devices lost or stolen that contain PII; not having proper authentication access controls for areas of the network with PII; or not correctly monitoring the PII sent over APIs.
To examine the different variations of overexposure, we’ll look at three different examples of where companies didn’t sufficiently protect consumers’ PII, which ultimately lead to breaches. In 2017, the parent company of the Wall Street Journal, Dow Jones & Co were found to have unsecured AWS servers meaning anybody with (freely available) Amazon web authentication, could access this server with records for their four million customers. The data on this server included customer names, home and business addresses, email addresses, and the last four digits of the customer’s credit card.
Another example of PII overexposure happened in 2010 when the Brighton & Sussex University Hospitals NHS Trust was tasked to destroy over 1,000 hard drives and gave the job to a subcontractor who took at least 252 hard drives from the hospital, of which 232 of these found their way onto eBay. These records included medical records such as diagnosed STIs, disability allowance forms, and reports on children as well as National Insurance numbers, the UK equivalent to a Social Security number, home addresses, and information on criminal convictions.
The final example happened in 2021, due to a design flaw in Microsoft Power Apps, Table Permissions were not enabled by default, which meant that the Open Data Protocol (OData) API created a list of data that an anonymous user could access. Due to safeguards not being put in place by Microsoft, 47 different organisations were affected that used Microsoft Power Apps, including American Airlines, Ford, the Maryland Department of Health, and the state of Indiana. Due to the sensitivity of some of the affected organisations, records that were accessible included names, email addresses, and Social Security numbers.
So, according to the laws previously mentioned, these breaches should have resulted in repercussions. And indeed they did. In the case of the Brighton & Sussex University Hospitals NHS Trust, they were fined £325,000 by a data protection watchdog. So, data protection breaches can impose huge fines, especially with the introduction of GDPR. If a company is found to be in breach of GDPR, which affects any company that collects or processes data of customers within the EU, they could be fined up to €20 million or 4% of the worldwide turnover of the preceding year, whichever is higher. This had led to companies such as Amazon, Facebook, and WhatsApp getting fined for €746 million, €265 million, and €225 million respectively. In Canada, if an organisation is found to violate PIPEDA, the organisation could be fined up to CAD 100,000.
But large fines are not the only repercussion for a business found to be in breach of data protection and overexposing PII. Also mentioned previously are people such as “privacy actives”, willing to leave businesses and organisations if they deem their privacy policies insufficient. Comparitech reported that when examining the share prices of businesses that had suffered major data breaches, they tended to underperform significantly in the following years. A year after the breach, the examined companies underperformed the NASDAQ by 8.6% and after three years were underperforming by 15.6%. So, these overexposures don’t just affect short-term profits but can also have longer-lasting ones too.
So, PII is highly valuable to malicious attackers and should be protected at all costs. Not only should sensitive PII be protected but by some legal standards, so should non-sensitive PII. Also by protecting all PII, it garners more respect and trust from your customers using your product, no stone has been left unturned. But, how do we protect the consumer’s PII?
A lot of guides to PII data protection will advise on taking stock of the PII on servers and employee systems, scaling down the amount of PII that is collected so that the attack surface is minimised, and locking down all the systems that store any form of PII. But this is hard to do. Trying to discover all of this is a long and arduous task. So much so that once you’re finished, it usually has to be started again with systems constantly changing. Especially with the ever-changing and expanding world of APIs that have become so integral to systems within organisations, as we’ve mentioned before in this blog.
That is why Darkspark detects PII overexposure from the APIs that you use within your business. It ranks the risk of these exposures and helps to prioritise the order in which risks should be remediated. As in the Microsoft Power Apps breach, an API that handles PII isn’t always properly configured or secure and can lead to PII overexposure. Protecting the PII of your customers is not only important for legal reasons but also the reputation of your company and will help with better security practices.
Sources:
https://dataconomy.com/2023/01/twitter-data-breach-2023-twitter-email-leak/
https://www.infosecurity-magazine.com/news/data-breaches-rise-by-70-q3-2022/
https://www.securitymagazine.com/articles/98716-the-top-10-data-breaches-of-2022
https://securityscorecard.com/blog/countries-with-gdpr-like-data-privacy-laws
https://clocktowerinsight.com/customer-privacy-why-its-more-important-than-ever/
https://hbr.org/2020/01/do-you-care-about-privacy-as-much-as-your-customers-do
https://gocardless.com/guides/posts/what-is-personally-identifiable-information-pii/
https://www.imperva.com/learn/data-security/personally-identifiable-information-pii/
https://www.rmda.army.mil/privacy/PII/PII-breaches.html
https://www.comparitech.com/blog/vpn-privacy/data-breach-statistics-facts/
https://www.varonis.com/blog/data-breach-statistics
https://www.idtheftcenter.org/post/what-is-an-over-exposure-of-your-data/
https://healthitsecurity.com/news/microsoft-data-breach-exposes-38m-records-containing-pii
https://www.tessian.com/blog/biggest-gdpr-fines-2020/
https://resourcehub.bakermckenzie.com/en/resources/data-privacy-security/north-america/canada/topics/penalties-for-non-compliance
https://securityintelligence.com/articles/5-steps-to-protect-personally-identifiable-information/
https://www.virtru.com/blog/6-steps-to-securing-pii-for-privacy-and-compliance