In the previous article in this series on the collateral damage produced by a data breach, we looked at the harm that could result if hackers gained access to your electronic health record, or EHR. The collateral damage can be to someone’s reputation, even catastrophic. In this post, we will review the collateral damage that can occur from Personally Identifiable Information Data Breach. Personally Identifiable Information, or PII, is a huge target for cybercriminals.
In order to understand why PII is so valuable to hackers, it is good to provide some examples to better understand what constitutes it. PII is any information that is attributed to an individual that identifies them and distinguishes individuals from one another. Examples include:
- Social Security Number
- Phone Number
- Driver’s License Number
- Personal Habits or Interests
- Biometric Data
Any information that an individual provides – whether on an online form, a voter’s ballot or a retail transaction, etc. constitutes PII. In turn, this makes the stolen information even more useful for mounting highly targeted attacks on individuals for any number of purposes. For example, a hacker can take a person’s employee identification number and use it to uncover more sensitive information.
Types of PII-Related Data Breaches
There are multiple cybercrime scenarios that can involve PII. Bad actors may compromise direct consumer PII, target credit reports or conduct identity theft. Theft concerning PII can also serve as a means to another, greater end. For example, cybercriminals may target individuals who hold sensitive positions in corporate and government organizations for defamation, or to put their lives at risk.
Information that hackers steal can be used against targeted individuals in orchestrated attacks. Hackers may also leverage a PII-related cyberattack for other purposes, which just aren’t as obvious. For example, consumer’s PII can serve the purpose of monetary gain, such as a marketing commodity. For example, a hacker may infiltrate a computing system to gain access to PII, which s/he can repurpose as marketing lists to sell products. Cybercriminals may also be capable of harvesting and aggregating data, gaining more insights and painting a clearer picture of their target(s) through data points.
Dangerous Scenario: PII of Cincinnati Police Officers Exposed, Placing Lives at Risk
Some, but not all PII is publicly available. PII is not available as a complete set. For example, name, address and phone numbers of Cincinnati police officers could be found in the yellow pages, but the phone book doesn’t say who they work for, where they work, or who their family members are. This is why the public exposure in February of 2016 of personal data about members of the Cincinnati police force put the officers – and their family members – at risk.
A hacktivist group was responsible for the breach, who were protesting the homicide of an unarmed citizen. The hack compromised the data of 52 officers, including their names, emails, phone numbers and social media accounts. Homicide detectives, officers and others had their PII disclosed. Besides the compromise of sensitive information, the hack put the police force in harm’s way by assailants seeking to avenge the shooting.
Office of Personnel Management, a Federal Agency, Fell Prey to PII Hackers
In 2015, the Office of Personnel Management fell victim of two cybercrimes, where the data of Federal officials, employees and contractors. USIS, a former corporation, was the vendor that provided the background investigations. Due to controversy, including the breach, USIS ceased and desisted its operations.
Social Security Numbers, plus login username and passwords for 21.5 million records for background investigations were compromised. Sensitive information concerning finances and mental health were compromised. Earlier that year, the PII of 4.2 million Federal employees – current and former – including Social Security numbers, birth dates, full names and home addresses. The list of victims includes active duty service members. This type of breach not only put PII at risk, it also put people’s safety in danger.
Potential Collateral Damage of a PII Data Breach
The collateral damage of a PII data breach can range from revealing the personal details of a person’s private life, to defamation, to harassment or worse.
Mailbox Theft or Dumpster Diving: A personally identifiable information data breach can lead to a targeted attack once the malicious attacker knows the details around where an individual lives, where s/he works, who s/he works for and other such details. This can lead to a malicious person targeting you to access confidential information. Such an attack can also divulge the secrets of their personal life, which can be used for additional targeted attacks, or to identify and locate your loved ones and associates in order to target them for attack.
- Stalking and Retaliation: Compromised PII can be used by stalkers to locate individuals – at home or work – and put them in harm’s way or be used by malicious individuals to discover vulnerable opportunities to retaliate for some perceived offense.
- Compromised Home Security: Individuals identified as high-value targets of theft may be geolocated through a personally identifiable information data breach, which could lead to break-ins, theft and vandalism.
- Customer Support Access: Most customer support centers verify the identity of the person calling by asking PII-related questions. By knowing your personal information, imposters can access your critical records. The harm done can range from requesting an unauthorized password change to draining your accounts.
Stolen personal identifying information can be used to target you – or even those associated with you – for direct mail scams or spear phishing attacks, personal or online coercion, slander or blackmail campaigns, or used in any number of other ways that would never be revealed through credit or identity monitoring.
Two years of credit monitoring may be helpful when attackers target individual’s credit cards or open fraudulent financial accounts. Most of the damage done in a Personally Identifiable Information Data Breach, however, would not show up on an individual’s credit report, making credit monitoring ineffective in mitigating the damage which can be done.
In the next article, we’ll look at how a compromise in the security of your Social Security number could have very expensive ramifications for you. Check back with us to learn more about how to protect your sacred nine-digit number.
ThreatModeler Provides the Defenses Your Organization Needs to Protect PII
For most organizations who process PII, security teams face challenges in managing risk. From budgetary concerns to time sensitive SDLC deployment schedules, CISOs seeking a way to help to fulfill security objectives should consider ThreatModeler. ThreatModeler’s leading platform sets itself from the competition by delivering:
- Automated threat modeling
- Integration with IT project management ticketing solutions such as JIRA and Jenkins
- The ability to scale across thousands of threat models