Buyer Beware: Safeguarding Against Personal Data Breaches

  • Security breaches can result in lost or stolen personal or financial records.
  • Organizations and individuals may experience financial repercussions.
  • Personal data must be protected from unauthorized access.

According to the Identity Theft Resource Center (ITRC), over 400 security breaches were reported from January to August 2014 with over 11 million personal or financial records lost or stolen. These records included individual names, social security numbers, driver license numbers, medical data, and credit and debit card information.

As a result of these breaches, organizations may experience financial repercussions. Worse yet, from an individual’s perspective, exposure of personal data can lead to identity theft. Much of stolen personal data is often posted on illegal trading sites where criminals from around the world trade personal information for profit. Armed with personal information, criminals can obtain payment cards and receive bank loans in the name of individuals whose data has been compromised.

Data Security

Although individuals have no control over how organizations collect, store, or disseminate information, they can partly safeguard their data from potential unauthorized exposures by taking care when sharing the information with companies and organizations that do not already have access to it or have no business requesting it. I’d like to illustrate this point with an example from my recent shopping experience at a major store chain.

Ask questions about data protection 

During my checkout, the cashier suggested that I join the store’s rewards program to receive discounts on my future purchases. While filling out the form, I noticed the social security number field was marked as required information. When I questioned the purpose of requesting the social security number, the response I received was less than satisfactory: social security numbers are used by the store to uniquely identify the buyers! Aren’t there other ways to uniquely identify customers without requesting such sensitive information? The cashier assured me that this data was safe since it never left the store’s systems. Unfortunately, my extensive experience in penetration testing of these systems proved otherwise, and I declined the offer.

In today’s digitally interconnected world, information that is not properly protected becomes vulnerable to interception or unauthorized access by adversaries. For consumers, this creates the risk of personal data being exploited for financial profits. As many organizations increasingly continue to request personal data, individuals are becoming desensitized to such requests, furnishing the data without questioning the validity. This creates more opportunities for criminals to obtain personal data. Caveat emptor!

Jennia Hizver Consulting Practice Security Researcher and Consultant AT&T About Jennia