The Dangers of PII Leaks: 7 Key Insights
Table of contents
Personally Identifiable Information (PII), or personal data, has become a major issue for everyone—whether you’re an individual or an organization. And with more PII being generated and stored every day, the risk of sensitive information being exposed is only increasing.
However, people tend to underestimate the dangers of data security. They might think that no one would target them, or that identity theft is a rare occurrence. But the reality is that when information security is compromised, it can lead to a whole host of legal, ethical, and commercial consequences.
In this guide, you’ll unpack what PII is, along with some examples of real-life PII security incidents in the past. You’ll also learn the best cybersecurity practices for PII data protection.
1. What is PII? What does PII stand for?
PII stands for ‘Personally Identifiable Information’, and it refers to the personal data of anyone.
It’s the information that can be used to identify, contact or locate an individual, either alone (e.g. name or security social number), or combined with other data (e.g. company and position).
Some examples of PII could include…
- Identity (name, date of birth, signature, gender, race, familial situation)
- Contact information (address, phone number, email address)
- Professional information (job, company, position, date of hire, HR evaluation, salary)
- Administrative documents (ID, passport number, driver’s licence, social security number)
- Healthcare (biometric data, medical records)
- IT related (password(s), cookies, logs)
What is a PII leak?
A PII leak is when sensitive information is shared without an individual’s knowledge or consent. This could happen via hacking, insider threats, data breaches, or accidental disclosures—such as through a misconfigured server.
Who can access PII?
A lot of PII information is already publicly available. If you visit LinkedIn, for example, you can already learn someone’s full name and company information. And you can easily find a phone number from an electronic directory.
Of course, public sources won’t list more sensitive information such as passport numbers and credit card numbers. But when further information is gathered, the person’s profile becomes more and more valuable to hackers.
Here’s why.
2. Why does PII appeal to cybercriminals?
PII is valuable to cybercriminals because personal data can be used to build someone’s profile, in order to exploit it.
When you have someone’s name, position, passport, and credit card number, then you have everything you need to impersonate them and take advantage of their assets.
This is usually for financial gain, and to target other people in turn. For example, cybercriminals might use PII for:
- Identity theft: To gain access to someone’s finances, to make a fraudulent purchase, to apply for a credit card or loan, or to commit other types of fraud.
- Social engineering: With the right personal data, cybercriminals can create convincing emails, messages and phone call scams to manipulate people into sharing more PII.
- Financial gain: PII can be sold on the dark web to other cybercriminals. The more complete the profile is, the higher the price it can be sold for.
- Account takeover: Cybercriminals can use PII to take over online accounts—such as email, social media, and bank accounts. From here, they can commit fraud and target other people, too.
- Blackmail: Sensitive information can be used as an incentive for victims to pay a ransom, especially if this data is embarrassing or compromising in any way.
And as the world becomes increasingly digitalized, the potential for PII leaks, financial information theft, and cybercrime is higher than ever.
Let’s look at some examples of how this can happen.
3. How do cybercriminals steal PII data?
There are a variety of ways that cybercriminals can get unauthorized access to PII data, including:
- Via misconfigured servers: If companies are using unsecured database providers, such as ElasticSearch, then it will be easy for cybercriminals to find a way through. They can then exploit the data through ransomware, impersonation, corporate espionage, phishing, or simply by selling it on.
- Through social engineering: If cybercriminals can gain trust with authentic-looking emails or calls, they can then exploit people’s vulnerabilities to get more PII.
- With unsecured connected storage devices: These include file servers, NAS, or other synchronisation protocols which reveal detailed organizational datasets. This is often the result of negligence, misconfiguration, by-default settings, or automatic shadow backups.
For example, in 2020, CybelAngel discovered confidential documents that were exposed by open connected storage devices. The documents revealed the HR evaluations of hundreds of employees, along with internal reports of 16,000 accidents at work in an industrial company.
4. Which of the following is an example of PII leakage?
Any piece of information that can lead back to the person must be protected—even if it looks inconsequential.
Here are 8 quick case studies of compromised credential leaks to prove it:
- Yahoo: Holding the record for the most people ever affected by a cyberattack, over 3 billion Yahoo user accounts were exposed by a team of Russian hackers
- LinkedIn: In 2021, hackers shared the user profiles of 700 million people, representing most of LinkedIn’s total user base
- Cathay Pacific: In 2018, the airline suffered a mass data breach which revealed the personal information of 94 million travelers
- Equifax: In 2017, Equifax suffered a data breach that compromised the personal data of 147 million people, and had to pay around $425 million to help those who were affected
- Microsoft: Due to a misconfiguration, 47 companies’ databases became publicly accessible and exposed at least 38 million records in 2021
- Real Estate Wealth Network: One of the biggest leaks in US history, this education platform exposed 1.5 billion records due to a lack of password protection
- First American Financial Corp.: In 2019, 885 million file records were leaked—not due to hackers—but due to a poor website design and inadequate data privacy measures
- Facebook: In 2021, Facebook had a huge data breach, sharing the names, phone numbers and passwords of more than 530 million people
From these stories, we can see that not all PII data breaches are necessarily facilitated by cybercriminals. Sometimes, they’re simply the consequence of human error or badly configured systems.
But whatever the cause, these examples show that even the biggest brands aren’t immune to PII data breaches—meaning that PII data security should be a priority for everyone.
5. What’s the difference between a typical and a non-typical PII data breach?
There are two main types of PII data breaches in cybercrime.
- A typical PII data breach is when common types of personal information (like financial information) are stolen for conventional cybercrime purposes—such as identity theft
- A non-typical PII data breach is when less conventional types of data (like biometric or behavioral data) are stolen for a more diverse motive—such as sabotage or political manoeuvring
Regardless of the type of PII data breach, or the motives behind it, they always present a serious security risk to organizations and individuals alike.
6. How do you report a PII leak?
No one wants a PII leak to happen.
But if it does, companies are legally obliged to make a data breach report within 72 hours of it occurring, in accordance with General Data Protection Regulation (GDPR) guidelines.
For US-based organizations, the Federal Trade Commission (FTC) offers guidance on data breach responses, and it recommends the following:
- Secure your infrastructure: Safeguard your physical and digital operations, check for any improperly posted information online, get legal advice, and do not destroy any evidence
- Fix any vulnerabilities: Review third-party permissions, check your network server, work with cybersecurity experts, and have a clear communication policy in place
- Notify the right people: Check your legal requirements, inform law enforcement of what’s happened, and—if it involved electronic personal health records—then you should notify the FTC as well
And what happens if you don’t report a PII leak?
If you don’t report a PII leak or data breach, it could have severe consequences, both legally and for your reputation.
- You might pay regulatory penalties, which can reach up to €20 million under GDPR guidelines in Europe
- You could face lawsuits from people who have been affected by the data breach
- Your reputation will be damaged, due to loss of trust and negative publicity associated with your brand
In addition to this, your operations might be affected if the data breach has not been reported, as it will take more time to resolve it.
Alongside this, lack of reporting can exacerbate the impact on any individuals whose PII has been compromised, as they won’t have received any notifications to change their passwords, check their financial information, or freeze their credit cards, for example.
A well-known case is Yahoo, which paid a $35 million fine in 2018 after it emerged that it had failed to report a data breach for almost two years (linked to the case study we discussed earlier).
7. How can organizations prevent PII data leaks?
There are 10 main best practices that every organization can adopt to reduce their PII data security risks.
- Encrypt your data: Sensitive PII should always be encrypted, whether in transit or at rest, using strong algorithms to keep the data safe.
- Implement access control: Use measures such as role-based access controls (RBAC) and multi-factor authentication (MFA) to reduce the risk of unauthorized access to sensitive data.
- Only collect and store the data you need: “Data minimization” refers to only collecting and keeping PII data that is truly essential for your business purposes, and regularly removing any other unnecessary data.
- Keep things anonymous: If you’re sharing data with third parties for analytics or testing, you could always anonymize or hide any PII data to avoid sharing more information than necessary.
- Train your employees: Cybersecurity measures only work when the whole team is on board. Educate your team about the importance of safeguarding PII data, and how to recognize potential cyber attacks.
- Invest in a Data Loss Prevention (DLP) solution: DLP software can detect and stop any unauthorized data transfers, downloads, and uploads.
- Keep an eye on your digital ecosystem: Keep your software, applications and systems up to date and address any vulnerabilities straight away.
- Have an incident response plan: Create a tried-and-tested system to respond promptly to any PII data breaches that could occur.
- Involve your third-party vendors, too: Set up security assessments, monitoring and contractual agreements for any third-party providers who might have access to PII data on your behalf.
- Audit your cybersecurity posture regularly: Run audits and assessments to catch any weaknesses in your system—before they become a problem.
These best practices will help you to secure your PII data against any leaks or cyber attacks. However, these tips are only effective when your whole organization is on board. Cybersecurity measures should be a natural part of everyone’s daily workflow and processes.
Bonus: How can individuals be advised to prevent PII data leaks?
It’s always best for people to proactively take steps to secure their personal information. As a company, you can share recommendations with your user base so that they can be a part of your cybersecurity initiatives, too.
Here are 4 quick and easy suggestions you can share with your clients:
- Use strong and unique passwords, and change them regularly
- Activate multi-factor authentication (MFA) whenever possible
- Monitor banking apps for any suspicious activity
- Watch out for phishing or social engineering scams
For example, some businesses will send reminders to their customers to change their passwords after a certain timeframe or share information about how to recognize a potential scam.
Conclusion
PII is a vulnerable asset that cybercriminals can exploit, or it can be exposed simply through human error or misconfigured systems. But with the right measures in place, both organizations and individuals can protect their sensitive data.
Here is your PII cybersecurity checklist:
- Always report any data breaches within 72 hours of them occurring, and follow the FTC’s recommendations to resolve them
- Invest in encryption, access control, employee training, and other measures to protect your organization against PII threats
And if you want to go one step further, we have created A Free Checklist to Avoid PII Leaks– check it out.
CybelAngel exists to safeguard companies’ data, including all types of PII. With its extensive monitoring capabilities, you can be alerted in real time about any data exposure—whether online, on the dark web, or in your unsecured databases before anyone else has seen them.
To learn more, you can request a demo and discover how CybelAngel could complement your PII protection.