Throughout the 2010’s decade, Personally Identifiable Information (PII) and more broadly personal data became a major issue for both users/clients and organizations, raising legal and ethical matters, commercial controversies, but also…information security concerns regarding compromised credentials. Indeed, more and more PII is being generated, transmitted, and stored every second; and becomes a prime target for threat actors of all kinds. Yet, the danger often happens to be underestimated by end-users (“I’m just a nobody, who would target me?”) and some organizations (“social engineering is for James Bond movies, we’d rather worry about network intrusion!”).
What is PII?
Actually, why would this data be valuable for hackers? Defining it will help us understand it; PII is data that can be used to identify, contact or locate an individual, either alone by itself (e.g. name, security social number) or combined with other data (e.g. company + position). Examples of personal data includes, but are not limited to:
- Identity (name, date of birth, signature, gender, race, familial situation)
- Contact information (address, phone number, email address)
- Professional information (job, company, position, date of hire, HR evaluation, salary)
- Administrative documents (ID, passport number, driver’s licence, social security number)
- Healthcare (biometric data, medical records)
- IT related (password(s), cookies, logs)
While some of this data is publicly available, much of it is not. The value to hackers is not just the amount of personal data found – but the more correlated these pieces are the more valuable they become for hackers. For instance, names and jobs of potential passengers could be found in an electronic phone directory or on LinkedIn, but neither of these sources include passport numbers or credit cards numbers. When you correlated name, position, passport and credit card numbers, as did the public exposure of Cathay Pacific’s travelers, you put at risk a reported 94 million travelers and their organizations. This underscores the point that any piece of information, unique to an individual or that can lead back to the person, must be protected – even if it looks inoffensive unto itself.
Typical and non-typical PII data breach: What does it mean for your business
Where can cyber thieves steal all of this data? In the cases like the Marriott breach, the data was stored on an unsecured or misconfigured device – often using database systems like ElasticSearch, Oracle, SQL or MongoDB. The malicious actors gain access to the data and exploit the information for malicious purposes, such as: ransomware, impersonation, corporate espionage, phishing, or simply selling it on the black market. A vast majority of the infamous data breaches result from scenarios similar to this.
In a significant number of cases, the attackers even leverage social techniques to gain access to their targets: according to the Verizon’s 2020 DBIR, 22% of the data breaches included “social attacks” including, social engineering and/or use of stolen PII.
PII can also be compromised in a less known way – albeit extremely common way. As with any other information, PII documents and compilations may be found exposed on unsecured connected storage devices, such as: file servers, NAS or synchronisation protocols). This is often the result of negligence, misconfiguration, by-default settings, or automatic shadow backups. These exposures, even if they rarely display as many pieces of data as an SQL or ElasticSearch system, are nonetheless very serious given the highly detailed context available through the documents and the completude of the datasets.
The following are two examples of confidential documents exposed on open connected storage devices, recently found by CybelAngel, that displayed numerous data about the involved companies and PII about their customers or employees:
How do you defend your organization against PII data leaks?
Countless are the web articles and whitepapers explaining the “Top 10 Steps to secure PII against Loss or Compromise”, which are basically the sine qua non of IT security: data mapping and classification, developing and enforcing policy, encryption, employee education and testing, et al. As relevant as this advice might be, it is only useful when it is truly internalized by the organization and put into daily standard operating processes and procedures.
A significant blind spot still remains in the quest to stop the compromise of PII – the ever growing number of the third parties that enterprises rely upon and routinely share sensitive data. DarkReading reported in February 2020, “The total number of such third-party breaches hit 368 in 2019, up from 328 in 2018 and 273 in 2017 — a 35% increase in two years … 4.8 billion [records exposed].” Now consider how many of these data breaches exposed PII that eroded customer confidence, caused stock value to plummet, and resulted in significant legal and regulatory penalties.
CybelAngel has developed dynamic solutions to protect companies’ valuable data, including all types of PII. Our continuous data leak monitoring allows us to alert companies in real-time about their data exposure on multiple perimeters across the internet. Moreover, we developed the capability to monitor the data inside unsecured databases that have not been exploited yet (not stolen nor ransomed), finding exposed credentials before threat actors.